AI and ML add complexity to military avionics safety certification
StoryMay 11, 2023
Certifying avionics software has been, is, and always will be a daunting, time-consuming task for avionics hardware and software designers. Thanks to advances in aircraft technology, modernized software, a shift in the programming languages used, and the emergence of artificial intelligence and machine learning (AI/ML) technology, certification continues to get more complex. Meanwhile, technical standards such as the Future Airborne Capability Environment (FACE) are aiding not only software certification but also overall avionics software development.
Many in the military industry, not just in the avionics arena, are figuring out and learning how to best make use of the emergence of artificial intelligence and machine learning (AI/ML) technology. For avionics software suppliers, it’s a matter of embracing its advantages and learning how it will impact safety certification of avionics software
“Within the aerospace industry there is work being done on developing AI systems to analyze massive amounts of flight data to deliver summaries that will ultimately help pilots to make informed decisions,” says Roberto Valla, aerospace and defense head of sales (Europe, Middle East, and Africa) for Wind River (Alameda, California). “The industry is also looking to use AI to improve decision-making in aircraft collision-avoidance systems.”
However, certifying AI systems to current avionics safety standards is very difficult, which raises the question of whether an AI system could be controlled by a safety-certified “traditional” software and hardware system, or if human pilots would still be required to confirm the AI’s analysis, he continues.
The constantly changing nature of software presents new hurdles, notes Ian Ferguson, vice president of marketing for Lynx Software Technologies (San Jose, California). For one thing, as systems increasingly become interconnected, all facets of a system must be updated to improve their resistance to cyberattacks. Moreover, the increased use of AI/ML in some systems and the deployment of new features also require careful attention during the certification process: It’s crucial to make sure that new code deployment methods are safe and that the new code itself doesn’t affect the certified system, he says.
His company’s MOSA.ic is a modular software framework for building and integrating complex multicore safety- or security-critical systems using independent application modules. Its architecture is intended to enable developers to shorten development cycles when creating, certifying, and deploying manned, autonomous, and increasingly connected systems. (Figure 1.)
[Figure 1 | Lynx’s MOSA.ic is deployed in key components of the F-35 Lightning II avionics platform, including the integrated core processor developed by L3Harris that acts as the brains of the F-35. (U.S. Navy photo by Mass Communication Specialist 3rd Class Maci Sternod.)]
One problem is proving “determinism” for AI/ML systems, which is required for compliance with DO-178C (ED-12C in Europe), says Vance Hilderman, chief technical officer at AFuzion (Los Angeles, California). Determinism in the AI realm can be defined as algorithms or environments in which the outcome can be determined based on a specific state, or specifically those AI environments that ignore uncertainty.
Currently, active AI/ML is not allowed on commercial aircraft if logic decisions change in real time. AI/ML is limited to use in on-ground preflight tuning and mission planning; Hilderman estimates that true active AI/ML within onboard avionics for commercial aircraft is still six or seven years away.
While there is potential value for AI/ML in avionics systems, due to the concern about how these systems make decisions, it will likely be necessary for the systems to enable visibility into the algorithms and traceability of all decisions made to arrive at a solution, says Gary Gilliland, technical marketing manager at DDC-I (Phoenix, Arizona).
For safety certification applications DDC-I offers Deos, a time-, space-, and resource-partitioned real-time operating system (RTOS) that is designed for certifiable, safety-critical applications. It is used in multiple avionics functions, providing resource and scheduling mechanisms to help developers control interference patterns in shared resources. (Figure 2.)
[Figure 2 | Deos is DDC-I’s time-, space-, and resource-partitioned RTOS designed for certifiable, safety-critical applications. (Illustration courtesy DDC-I.)]
Uncrewed platforms bring new concerns
When discussing AI in aviation circles, the conversation often includes talk of the proliferation of uncrewed platforms, which have their own unique challenges compared to crewed platforms for DO-178C certification to DAL-A – Design Assurance Level A, the highest safety-critical level within the DO-178C [Digital Object 178C] standard. The standard defines various DALs ranging from A to E, with Level A being the most stringent and Level E the least.
DAL-A is applied to software systems in which a failure would result in a catastrophic event, causing multiple fatalities or loss of the aircraft. Needless to say, pilots and civilians are concerned with the failure of any drone in commercial airspace and military domains.
As uncrewed, autonomous aircraft grow in use, ensuring their safe and secure operation in different environments – for instance in dense urban areas – safety certification of the avionics software is critical, DDC-I’s Gilliland says. Regulations must adapt to cover all aspects of the aircraft life cycle, from development to deployment and operations, he adds.
This aspect includes getting safety certification under DO-178C and security certification under DO-356A. Additional elements that must be considered involve the complexities of managing air traffic for uncrewed aircraft and the need for operators to handle large fleets of aircraft. (Figure 3.) “Cybersecurity is becoming more of a concern, since many avionics systems, including uncrewed systems, need connections to the outside world.”
[Figure 3| Wind River’s VxWorks 653 is used in the Airbus A330 Multi-Role Tanker Transport (MRTT) aircraft. (Photo courtesy Airbus.)]
Fully autonomous aircraft will be seen in military applications soon, and urban air mobility will follow, though it is further out, Ferguson says. AI/ML will likely be the only way to deploy such technology at scale, and certification processes will need to adapt to handle these use cases; however, authorities will require more evidence before approving these platforms, he says. The lessons learned from the deployment – and hopefully the successful use of AI/ML – in the automotive segment will help set expectations for when these platforms will be available for uncrewed platforms and what they’ll be capable of doing.
Uncrewed platforms carry several additional caveats when compared to crewed aircraft. For one, with manned aircraft, pilots are considered part of the certification solution and are expected to handle unexpected situations, Gilliland explains. Additionally, uncrewed systems are certified as a special class of aircraft, which is a problem because technology in the uncrewed industry is advancing quickly, he adds.
“Although no type of certification of an aircraft system is easy, with uncrewed systems the requirements and limitations are evolving rapidly and every system has to be renewed every few years to make sure they are still airworthy,” Gilliland says.
The growing interest in uncrewed aircraft, changes in the types of software used, the emergence of new programming languages, and the use of multicore processors are all factors that must be considered when meeting this mission-critical certification. The military avionics industry is working to address these various factors.
Learning languages
Many of these challenges are new, but the languages being certified have been around for decades.
“Most avionics software engineers today can say that their parents learned to code in ‘C’ language,” AFUzion’s Hilderman says. “It’s rare to see a commercial aircraft 50 years old, yet most code flying today is via the 50-year-old C language. Today’s developers are finally comfortable using object-oriented languages such as C++.” (Figure 4.)
[Figure 4 | AFuzion’s DO-178C & DO-254 template/checklist process frameworks were used as a basis to evaluate multiple systems for the forthcoming Bell V-280 Valor Future Long Range Attack Aircraft (Photo courtesy Bell Flight.)]
When programming languages shift, what happens to certification of avionics software? As developers move from the traditional C language to object-oriented languages like C++, they must still comply with the DO-332 guideline, which isn’t well understood. Additionally, there is a lack of approved safety coding standards for languages like C# and Python, not to mention for emerging machine learning and artificial intelligence applications, Hilderman says.
AFuzion offers a collection of aviation development and certification templates, which consist of numerous plans, standards, and checklists.
FACE Technical Standard
Avionics software code development and certification has been aided in recent years through the emergence of The Open Group’s Future Airborne Capability Environment (FACE) Technical Standard, which is primarily focused on promoting code portability and reducing costs. It aims to make capabilities more affordable and speed up the delivery of new capabilities, but it can also support the safety-certification process for military avionics systems.
The FACE standard helps by providing standardization that makes the safety certification process easier, Valla says. “By providing a common framework and standardized interfaces for software components, the FACE standard can help simplify the safety-certification process by reducing the amount of custom integration work required for each new avionics system,” he says.
Valla’s company offers Wind River Studio, a cloud-native platform that enables automated validation and verification using digital-twin technology.
Standards like FACE have momentum behind them within industry and the DoD as aviation programs often cite FACE conformance in their requirements and the list of military platforms using FACE certified conformant solutions continues to grow.
“Aligning to standards is an essential first step,” Ferguson says. “It is indeed exciting to see the increased momentum of companies rallying around FACE to help fuel the cadence of innovation. It is critical to providing a path to reduce vendor lock-in, [for example].
FACE is the best approach to avionics software and system standardization, greatly enhancing interoperability, portability, and reusability, Hilderman says. When fully deployed, Hilderman says he estimates that FACE could reduce long-term development costs by 40% to 50% and certification costs by 20% to as much as 80%.
However, FACE is not backward-compatible with legacy avionics or software, which makes conversion costly and complicated. In the short term, some developers may find it easier to stick with their old methods.
FACE is an evolving standard and Ferguson says that “from a safety-certification perspective, much more needs to be done.” For example, standards currently lack descriptions of expected behavior and side effects, don’t account for necessary system information, and don’t cover software components in the operating system itself. Ferguson says he believes that future standards should focus on elements like hypervisors and unikernels to address these issues.