FlightGlobal.com
Home
Premium
Archive
Video
Images
Forum
Atlas
Blogs
Jobs
Shop
RSS
Email Newsletters
You are in:
Home
Aviation History
1989
1989 - 0302.PDF
The Soviet Union is facing software reliability issues as it introduces a new generation of airliners such as the Ilyushin 11-96-300 (above). Fly-by-wire software checks delayed the first flight of the Swedish JAS39 Gripen (below) by 18 months control systems. For military purposes, however, the clinching argument is instability. An unstable aircraft (where the centre of lift is ahead of the e.g.) is far more agile than its stable counterpart. Such aircraft can only be flown using a fly-b/wire system, otherwise oscillations will set in very quickly and the aircraft will become uncontrollable. The critical nature of such systems helps to impose a large cost on a fighter project. The Saab Gripen's first flight, for example, suffered an 18-month delay, due to verifica tion of the flight control system. In the Gripen's case, this is a triplex digital system backed up by a triplex analogue system. The implications of software reliability become most extreme in computer programs for the Strategic Defence Initiative. Should it ever be deployed, it will have 10 million lines of code. Simulation and testing can never be enough. Even in a simple guidance and navigation program there are 1018 possible paths to be tried. At one test a microsecond, it would still take over 330,000 years to complete testing of all the paths. Safety standard The UK Ministry of Defence is soon to publish a first draft of its new standard covering the production of safety-critical software. Def Stan 0055 will eventually be a mandatory standard, which will apply to all software written for the MoD. This standard will be of considerable significance, because the MoD's already substantial purchasing of software is set to grow as the software content of weapon systems grows over the years. Although the standard will not apply to the European Fighter Aircraft, 50 per cent of the value of this project will go on software, and the proportion will be even higher in future fighter projects. The standard will call for the appointment of independent software safety assessors to oversee every project. Each assessor will presumably have to come from a rival manu facturer, unless a completely independent ajjj^Aaf ^ "^•"""•^ E-"W*5BWM.*»P ^K~—-*^__- \M ^^^""••d / **:, organisation, with a number of highly skilled specialists, is set up to cover all the safety- critical software projects under way. To soothe any anxiety over commercial con fidentiality, the MoD will allow the company itself to choose its own assessor. Methods defined The standard will define certain methods and procedures, including formal methods (such as Z, VDM, and OBJ), automated static and dynamic code analysis (with tools such as SPADE and MALPAS), rigorous auto mated configuration control, the use of safe language subsets, together with evaluated and validated compilers. Contractors will need to take part in extensive training programmes, involving considerable invest ment in their staff and support tools. They will also need to employ specially trained "safety engineers", and relevant degree courses in this field are being prepared by several universities. The new standard has clearly been heavily influenced by research at the Royal Signals and Radar Establishment in Malvern, Worcestershire, which has stimulated the formation of Viper Technologies. The Viper group's approach is represented by Martyn Thomas of Praxis, and others. Thomas is something of a fundamentalist. He believes that no amount of fiddling and proposing of formal methods and quality assurance can provide safe systems; the whole lot should be thrown out, and a new start made with a clean sheet of paper. The group's efforts have resulted in the Viper 1 and 1A microprocessors. These chips, the group claims, have a formal mathematical specification, simple archi tecture with no interrupts, appropriate features for the application to safety-critical applications, and formally proven implemen tation. This means it is possible to prove that the fabricated chip performs according to its design specification. Appropriate features include a compre hensive suite of comparison instructions, much used in safety-critical software. The Viper 1A processor was the first commer cially available Viper product, and is made under licence by Marconi and Plessey. Using this chip, it is possible to design a simplex system which is fault-detecting. When it goes wrong, it stops. It can restart automatically after failure, and it has a diagnostic register indicating why it stopped. However, the Viper group is now developing Viper 2, which it believes will be used in "real" systems. It will use a rigorously proven subset of the Ada language, which is mandatory in most defence projects. Learning to live without interrupts will make life harder for programmers who habitually use this software technique in program designs. When an electronic device 36 FLIGHT INTERNATIONAL, 4 February 1989
Sign up to
Flight Digital Magazine
Flight Print Magazine
Airline Business Magazine
E-newsletters
RSS
Events
