190 likes | 369 Views
COTS Graphical Processors. Gregg Bartley FAA Transport Standards Staff ANM-111 NASA/FAA Software and Complex Hardware Conference Norfolk, Virginia July 27, 2005. What are COTS Graphical Processors?.
E N D
COTS Graphical Processors Gregg Bartley FAA Transport Standards Staff ANM-111 NASA/FAA Software and Complex Hardware Conference Norfolk, Virginia July 27, 2005
What are COTSGraphical Processors? • CGPs are COTS devices designed for use in video games (e.g., X-Box, Sega), which is a very limited and non-safety critical market. • Major manufacturer of CGPs include ATI, 3D Labs, NVIDIA ….. • These devices are a SUBSET of the entire COTS hardware discussion. • Issues that apply to CGPs do not necessarily apply to COTS hardware in general!
What are COTSGraphical Processors? • Typical CGP can draw in excess of 200 million vertices per second. • Typical CGP can contain dozens of independent and asynchronous processing engines. • May contain embedded software or configurable data tables. • Typical life of a product is 18 months. • Many revisions within the lifetime of a product.
What CGP’s are NOT • CGP’s are not the same type of device as a COTS processor designed and manufactured by Intel, Motorola, etc. • CGP’s from the various suppliers may not necessarily have the same issues associated with them. • In other words, not all CGP’s are created equal!
FAA Position • CGPs driving flight deck displays represent a “new and novel” technology that require special attention during a certification program. • Even though these devices allow an applicant to design new or enhanced safety features in flight deck displays, it does not relieve the applicant of certification responsibilities for issues involving the CGP itself.
Issues with Use of CGPs in Flight Deck Display Systems • May not fit normally accepted definition of “configuration controlled parts”. • Rapid revision cycle may not be apparent to users. • Part revision identification process. • Problem reporting and resolution system. • Problem identification to users.
Issues with CGPs in Flight Deck Display Systems • Depth/existence of verification testing of specific CGP design and change impact analysis process is not known. • May contain embedded software not compliant with DO-178B. • Possible difficulties in establishing an accepted failure rate for the device.
Issues with CGPs in Flight Deck Display Systems • May contain undocumented, unverified fault handling routines. • Possibility exists of unknown generic design faults, which could affect redundant systems simultaneously. • Etc.
Assertions regarding CGPs • CGP devices should not be considered compliant with the Design Assurance Process defined in DO-254 (or DO-178B, if embedded software is included), unless the applicant can provide data to show otherwise.
Assertions regarding CGPs • A credible case for service history certification credit, per DO-254, section 11.3, may be impractical, due to: • lack of maturity of these devices in avionics applications, • lack of a formal problem reporting/resolution process by the CGP supplier, and • rapid and non-transparent lifecycle updates.
Assertions regarding CGPs • Devices themselves should not be considered to have any inherent Design Assurance Level (e.g., DAL A, C) associated with them, unless the applicant can show otherwise.
Recommendations • Applicants should choose CGP carefully when planning a new program which include flight deck displays, and do so with the understanding of how they intend to address these issues up front rather than after design has been started.
Recommendations • Applicants who propose to use one of these devices should coordinate with Certification Authorities early and often. • Identification of these devices in Plan for Hardware/Software Aspects of Certification document (PHAC/PSAC) may not fully address all the issues.
Recommendations • Certification Authorities should ask questions of applicants using COTS devices in flight deck displays, and issue an Issue Paper if necessary. • Coordination early on will prevent confusion and misunderstandings later in the program!
Issue Paper on CGP • The FAA has issued an Issue Paper on one program using a CGP through the Atlanta ACO, coordinated with the Transport Directorate and AIR-130. • Lists the FAA’s understanding of what these devices are. • Lists applicable regulations. • Lists the issues, given the above. • Requests applicant to explain how they intend to show compliance to regulations, given those issues.
Architectural mitigation • Provides the most straightforward, easily understandable resolution of many issues (e.g., ensuring hazardously misleading information is not displayed to flight crew). • If done correctly, these mitigations will address the lack of an inherent Design Assurance Level of the device itself.
Future Developments • Issue visibility. • Certification Authorities Software Team (CAST) paper (Currently P-96, in preliminary review). • This conference, FAA avionics conference. • Work to gain consensus among FAA and FCA specialists regarding our harmonized position.
Summary • GCP’s do not have a significant history in airborne avionics applications that is associated with the more “usual” COTS processors, thus the FAA’s “comfort level” is not very high. • Applicants should choose CGP carefully and with the understanding of how they intend to address issues up front rather than after design has been started. • Applicants should coordinate early with Certification Authorities. • Certification Authorities should ask questions.