Rapid Prototyping Software for Avionics Systems E-Book

Contents

Introduction

I.1. The use of model-based approaches

I.2. Structure of this book

1 Developing Model-Based Design Methods in Software Engineering

1.1. The history of model-based design

1.2. The Unified Modeling Language, a support for model-based methods

1.3. Formal model-based validation techniques

2 Methodology for Rapid Prototyping Avionic Software

2.1. The specificities of the avionic domain

2.2. The certification of an avionic system

2.3. Methodology of rapid development in seven stages

2.4. Chapter summary

3 Implementing the Prototyping Methodology to Develop a Next Generation Avionic Router

3.1. Introduction to next generation aeronautical communication domains

3.2. Implementing the SNG router

3.3. Evaluating the performance of the SNG router

3.4. Chapter summary

Conclusion

Bibliography

Index

First published 2014 in Great Britain and the United States by ISTE Ltd and John Wiley & Sons, Inc.

Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms and licenses issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the undermentioned address:

ISTE Ltd

27-37 St George’s Road

London SW19 4EU

UK

www.iste.co.uk

John Wiley & Sons, Inc.

111 River Street

Hoboken, NJ 07030

USA

www.wiley.com

© ISTE Ltd 2014

The rights of Nicolas Larrieu and Antoine Varet to be identified as the authors of this work have been asserted by them in accordance with the Copyright, Designs and Patents Act 1988.

Library of Congress Control Number: 2014949836

British Library Cataloguing-in-Publication Data

A CIP record for this book is available from the British Library

ISSN 2051-2481 (Print)

ISSN 2051-249X (Online)

ISBN 978-1-84821-764-5

Introduction

Aeronautics1 has for some time been stressing the need for safety systems that prevent the malicious use of materials or services that companies install onboard airplanes for their own use and requirements.

With the future arrival of onboard Internet access in most cabins, the need for safety will become a priority. Currently, no safety2 solution exists that, on the one hand, manages this new type of air-to-ground traffic (belonging to the Aeronautical Passenger Communication [APC] family) and, on the other hand, is capable of integrating it with other types of traffic between the aircraft and ground (Aeronautical Operational Control [AOC], Aeronautical Administrative Communication [AAC] and Air Traffic Services Communication [ATSC] traffic, for instance), while maximizing the level of strength offered.

The majority of approaches to “air” safety focus on methods and techniques that make safe exchanges within the airplane or a link used exclusively for communicating with air control. The Avionics Full-Duplex Switched Ethernet (AFDX) onboard avionic3 network cannot, therefore, be physically accessed by passengers: this segregation ensures its security4. Meanwhile, the Air Traffic Communications (ATC) air-to-ground flow uses the frequencies dedicated to civil aeronautical communication, which are prohibited by law for any other use.

Though necessary, this safety problem will no longer suffice when the avionic network interconnects with the remaining communication networks, including the Internet network. It is becoming increasingly apparent that this is an unavoidable step. Indeed passengers – who are used to being able to connect to the Internet everywhere on the ground – are increasingly calling for access to their work tools from their cabin seat.

This book will, therefore, put forward a software engineering method that enables the development of a security architecture for the set of aeronautical communications that will complement the safety architecture used in the avionic network and that will, moreover, facilitate a safe interconnection between the world of the “airplane” and the external world (for instance, the Internet network).

The architectural solution put forward in this book is principally based on a central routing, filtering and safety component for the flow of aeronautical data. The modelbased software engineering method presented in this book enabled research into design and development to be realized. This led to the central avionic component called the Secure Next Generation (SNG) router being developed. The functionalities implemented by the SNG router are summarized in Figure I.1.

One of the challenges of this work was to take into account the standardization issues adopted by the avionic world, to integrate them as prerequisites and to propose an overall safety system involving the airplane segment, the ground-board segment and the ground segment.

Indeed, this work can only be scientifically and industrially sustainable if it takes into account the set of security and safety criteria characterizing the different environments and considers, from the offset, the different principles of standardization for the latter.

Figure I.1.Example of the deployment of the SNG router in the aeronautical context

I.1. The use of model-based approaches

The complexity of developing onboard avionic systems led us to preliminary research into the development process, which then led to the creation of a generic methodology of design. This new methodology for the development of avionic software and rapid prototyping takes into account, from the moment the scope statement is established, the security and safety constraints associated with the system to be implemented.

Our development methodology for the SNG router is based on functionality modeling, the automatic transformation of models in source code and the use of critical operating systems that implement virtualization. Indeed, the models have undeniable advantages in terms of the speed and reusability of the development, as well as for the verification and validation of the modeled systems. Automatic transformation contributes toward ensuring the safety of the generated code, and therefore of the final software. Critical operating systems are keys to the security of the execution of the software generated with our methodology.

These modelings not only enable certain properties of the modeled mechanisms for the SNG router to be formally verified, but also a source code to be automatically generated in order to implement these mechanisms. To our knowledge, we are the first in the aeronautical domain to have used formally verifiable models to implement these network mechanisms via a model transformation toward the source code.

Discussed at the end of this book, the validation of the router software on the emulator and then the real onboard system as well as the quantitative and qualitative evaluation of the network performance of this router have thus enabled the cycle of industrial development – on which this research is based – to be completed and finalized.

It is essential that from this introduction the readers understand the importance of model-based development for the design of complex computer systems. This importance translates into considering the possibility of using software tool chains in certificate procedures for aeronautical systems (see documents RTCA DO-178C and DO-331 that will be presented in this work), enabling software source code to be generated from high-level models, which will be deployed in critical aeronautical systems.

I.2. Structure of this book

In order to understand the interest of model-based approaches, it is important to place them in wider context than that of the aeronautical domain (this is the focus of Chapter 1). Chapter 2 will then discuss the specificities of the domain of the design of aeronautical and avionic systems, and an original model-based design method will be presented. This method was designed to meet the particular needs of aeronautics. This chapter will detail the methodological contribution of this work, which proposes a new method of model-based rapid prototyping. Chapter 3 will detail the different stages involved in the aforementioned method. This method will be illustrated with a concrete example of the development of a critical onboard system: a secure and safe router for new-generation avionics (SNG router). This will be the focus of Chapter 3. This represents a concrete example of the complex onboard system in the avionic domain. The specificities of aeronautics, our domain of interest for this software engineering task, will be introduced. We will stress the need for new means of interconnection as well as the requirement that both the security and safety of the communication be considered. We will illustrate, in particular, how this methodology can be instantiated for the specific case of the development of a safe onboard router. The chain of tools used to apply our methodology will be detailed. Examples will be given for each tool. This final chapter will conclude with a summary of the performance of the system, which was developed via the intermediary of our model-based methodology.

The benefits and advantages of our methodology for design and development as well as for the overall performance of the system produced will thus become apparent. From the results, we are able to state that the methodology presented in this book has a high level of effectiveness.

1 Aeronautics designates the sciences and technologies that aim to construct and develop an aircraft in the Earth’s atmosphere.

2 In the context of air travel, safety is the property of innocuity in a system. It aims to protect the system from failure and breakdown.

3 Avionics is the set of electronic, electric and computer equipment in an aircraft. Thus, it is a subset of the aeronautical domain: avionics exclusively concerns the inside of the airplane, whereas aeronautics encompasses the avionic domain in addition to its environment, including control and navigation facilities on the ground.

4 In the context of air travel, security is the property of immunity in a system. It designates a system’s capacity to manage external threats and dangers.

1

Developing Model-Based Design Methods in Software Engineering

The objective of Chapter 1 is to give an overview of the different model-based design methods in the domain of software engineering and of their development over the past three decades. We have decided to pause for a moment on the most commonly used language for writing models in the domain of system design today: Unified Modeling Language (UML). This standardized language ISO/IEC 19501:2005 [ISO 01] abstractly describes any system whose aim is to be applied via the implementation of a programming language (paying no attention to the specific programming language from the offset, and therefore not restricting itself to the limits of the expressiveness of this programming language). Once the important UML modeling concepts have been presented, the various advantages of this type of approach will be considered: modularity, reusability, portability and so on. In section 1.3.4, we will discuss system validation. Indeed, using design models coupled with formal validation methods for these models is beneficial in terms of speed and strength with regard to the certification of the final system.

1.1. The history of model-based design

From its beginnings in the 1960s, computer program design was unguided and left to the discretion of development teams. This free approach met the design needs of simple programs that had to be run on extremely hard to use hardware systems. Intellectual effort, therefore, principally concerned “how” to make the underlying electronics compute what developers wanted it to calculate. Thus, assembly languages were king.

However, university mathematicians were working on new and complementary approaches that considered real machines indeterminate elements; programs were first and foremost considered abstract, and they were then concretized manually or with tools called assemblers, linkers and compilers. The wide variety of possible uses foreseen for computer-based systems resulted in the development of a large number of programming languages. In 1977, Professor M. Halstead counted some 1,000 different languages [HAL 77] and excluded the countless variations and versions of each of these languages.

Though the object of endless disputes between enthusiasts, these two approaches – university and industry – defended, on the one hand, by mathematicians and, on the other hand, by electronic engineers, have always been complementary. The abstraction of high-level languages has, therefore, democratized these new computer systems whose internal operations are proving to be extremely complex. In return, improvements to electronics have influenced the formalism of languages, their opportunities and performance.

A new scientific era began in the late 1970s: the era of models. In fact, the exponential complexification of computer systems quickly limited humans’ ability to design programs. The introduction of new and more formal methods guiding design enabled these limits to be stretched. Thus, the 1980s saw the appearance (or rather the reappearance and the adaptation) of graphic and text languages. These languages describe systems in a formal way and, instead of being used by machines, coordinate the different participants in application development.

In this new pattern of work, developers together establish a contractual framework for the program, its objectives and the principles of its internal operations. These principles are translated into lines of code in one or several appropriate languages and are finally compiled in a binary form that the machine understands and executes.

Different formalisms have been tested according to needs. Some are adapted to describe the structure of a computer program or of data, others to expose the operation state of the program at a given moment, others still to describe the succession of states through which the program passes or can pass. In the mid-1990s, three major object-oriented design methods were combined under the aegis of the Object Management Group and given the name Unified Modeling Language (UML). The UML is the focus of the following section.

1.2. The Unified Modeling Language, a support for model-based methods

1.2.1. The philosophy and history of the Unified Modeling Language

The principle of using classes and objects rather than functions to model a computer program is relatively old: the programming language Simula [POO 87] introduced this concept to the computer world from 1967. In 1976, the programming language Smalltalk [BRI 96] built on this concept by generalizing its semantics.

However, from 1983, the language C++ [STR 00] – due to its proximity to language C – really democratized this concept. The language C is in fact renowned for programming onboard systems because of its proximity to the hardware. It has, therefore, been widely used and has earned a dominant position in the set of programming languages. The language C++, therefore, appears to be the “natural” successor of the language C in terms of reaching a high level of complexity in computer programs.

Similarly, countless design methods have appeared to model computer programs via objects: Booch [BOO 93], Classe-Relation [DES 94], HOOD [ESA 06], Merise [TAR 83], OMT [RUM 90], OOSE [JAC 92], etc. A collective effort for normalization, led by the Object Management Group, resulted in the UML in 1997. In 2000, this norm was accepted by the ISO and was updated in 2005 [ISO 01]. This work combined the three most fashionable methods of the mid-1990s: the Booch, OMT and OOSE methods.

Nevertheless, it is important to point out that UML is a norm that is still subject to certain adjustments. It has been in a constant state of development since its first publication to the present day.

The UML enables computer programs based on the concept of objects to be specified, designed and developed. It formalizes how different artifacts associated with software development are written: scope statements, system and interface requirements, how to split the system into subsystems, the formalization of processes and actors, the structural organization of data, etc.

The principal point of the UML is that it is a consensual (and normalized) language for exchanging information between different entities related to computer software development. However, the UML does not require nor specify any development method or any process to guide developers during the different phases of development.

The UML is designed to communicate through diagrams. These diagrams provide a graphic visualization of the ideas exchanged, facilitating the comprehension of the solution or the solutions proposed. Formalizing diagrams and notations reduces ambiguities, and thus incomprehension, as well as any resulting programming errors. What is more, the UML is independent of any programming language, any process and even any application domain; this helps make it universal.

1.2.2. The Unified Modeling Language normalized diagrams

In its normalized 2.0 version ISO/IEC 19501:2005, the UML defines 13 types of different diagrams that can either be used or not used according to the needs and requirements of software developers. To refresh readers’ memories, a quick overview of some of the most commonly used diagrams will be given below. In fact, countless quality books have provided an exhaustive and detailed description of these diagrams (some of these works are quoted below and are listed in the bibliography).

The first type of diagram to be discussed is the most well-known and the most used: the class diagram (an example of this is given in Figure 1.1). This diagram is a collection of static modeling elements that describe the structure (or the architecture) of a computer program independently from temporal aspects and from the dynamic of the system. The basic element is the class (giving the diagram its name), which is associated with a digital entity and a name. For instance, a class named “Person” can be associated with a set of data describing a person; a class named “Oracle” can be associated with functions generating predictions from parameters, etc. The second basic element in class diagrams is relationships. A relationship associates two classes and can even contain certain properties (noun, cardinality, navigation between the classes, roles of each end of the relationship, etc.). Other elements complete class diagrams: dependency relationships, packages, etc.

Class diagrams are widely used in software development to structure programs, the data they process and associated databases. The design and analysis of class diagrams are the main focus of countless works related to the UML, to the extent that sometimes other types of diagram are eclipsed.

The second diagram is the object diagram. This diagram represents objects, i.e. concrete instances taken from classes at a specific time. This representation gives a more or less precise picture of the state of the object and its relationships with the other objects at a system’s “photography” or “snapshot” moment. It helpfully completes a class diagram showing how the latter can be used. Therefore, the example of a class diagram (Figure 1.1) represents the (simplified) decomposition that was adopted to implement the Secure Next Generation (SNG) router described in Chapter 3. This example can be shown as the object diagrams presented in Figures 1.2 and 1.3, which show two very different configurations of the SNG router deriving from the same software development.

Figure 1.1.Class diagram describing the software structure of the SNG router

Figure 1.2.Example of an object diagram deriving from the previous class diagram

Figure 1.3.Another example of an object diagram deriving from the previous class diagram

Figure 1.4.Component diagram for the SNG router