Control system for a civilian aircraft (DO-178C / DO-254)
In this example, we consider the development of software for use as part of the control system in a civilian passenger aircraft.
The design example we consider is based on a TT software architecture.
[This page was last updated 2018-03-06]
The design challenge that we need to address
In many cases, control systems for civilian aircraft – developed in compliance with DO-254 / DO-178 (and related) standards – have traditionally been based on customised processors that were designed to meet the challenges that are faced in safety-critical systems that operate at high altitudes. For example, such processors may be prone to higher levels of radiation than ground-based designs and can be designed accordingly.
In more recent designs, ‘Commercial Off The Shelf’ (COTS) processors have become more common in many aircraft designs. In such systems, the possibility that the COTS processor will ‘misbehave’ may be addressed through use of a ‘safety net’, which is defined as the employment of mitigations and protections at the appropriate level of aircraft and system design to help ensure continuous safe flight and landing.
This approach requires the safety net to be designed as a component within the aircraft system.
Implementing a safety net
Use of a TT Wrapper can be an effective way of performing the required monitoring of a complex COTS processor.
Related design examples
You will find two other examples that illustrate the use of TT Wrappers on this website:
- Controller for an Autonomous Road Vehicle (ISO 26262, ‘ASIL D’)
- Dealing with ‘SOUP’ in a Medical Infusion Pump (IEC 62304, ‘Class C’)
Learn more about TT software architectures
The Second Edition of ‘The Engineering of Reliable Embedded Systems’ (ERES2), documents an industry-proven approach to the development of software for reliable, real-time embedded systems, based on the use of ‘Time Triggered’ (TT) architectures.
What distinguishes TT approaches is that it is possible to model the expected system behaviour precisely. This means that: [i] during the development process, we can demonstrate that all of the requirements have been met; and [ii] at run time, we can detect problems very quickly.
The end result is that we can have a high level of confidence that a TT system will either: [i] operate precisely as required; or [ii] move into an appropriate state if a problem occurs.
The above characteristics mean that appropriately-implemented TT systems provide a particularly effective means of meeting the requirements of various international safety standards.
In order to illustrate how the TT techniques presented in ERES2 can be employed in practical designs, five detailed case studies are included. These studies describe the development of embedded control and monitoring systems for the following products:
- an industrial alarm sounder unit (IEC 61508, SIL 2);
- a domestic washing machine (IEC 60730, Class B);
- a hospital radiotherapy machine (IEC 62304, Class C);
- a steering-column lock for a passenger car (ISO 26262, ASIL D);
- an aircraft jet engine (DO-178C, Level A).
Complete your cost-effective DO-178C design successfully using a SafeTTy Solutions™ package
Our SafeTTy Solutions™ packages are designed to help your development team produce a safety-related embedded system quickly and cost-effectively, in compliance with one or more international safety standards (DO-178C, IEC 61508, ISO 13849, ISO 26262, IEC 62304, IEC 60730 …).
SafeTTy Solutions packages are based on TT designs and include carefully-selected combinations of our various products and services.
SafeTTy Solutions packages include an appropriate ReliabiliTTy® Technology Licence.
Learn more about SafeTTy Solutions packages …