10/15/2024 Expert knowledge embedded world

Embedded Systems for Commercial and Military Aviation

More than 10 million people board a commercial aircraft daily to visit family, conclude business, or enjoy a vacation. Safety is fundamental to this mode of transportation. Aircraft such as Boeing’s 777 can accommodate up to 396 passengers, while the Airbus A380 superjumbo seats up to 853. So, should a disaster occur, the impact is felt far and wide. Engineers and software developers work hand-in-hand to ensure that the embedded systems they design contribute to keeping the airline industry the safest form of transport we have.

More than 10 million people rely daily on the safety of embedded systems built into commercial aircraft

Balancing Innovation and Safety in the Aerospace Industry

And this is substantiated by the statistics. According to the IATA (International Air Transport Association), over 32 million flights took place in 2022. In total, there were 39 accidents, five of which incurred fatalities. This is a reduction compared to the five-year average (43 accidents/7 fatal), highlighting the consistent effort applied to keep commercial aviation safe. IATA states that, at the current level of risk, an individual would need to travel daily for over 25,000 years to experience a fatal incident¹.

So, how does the electronics and semiconductor industry support these metal birds? What measures are put in place to ensure safety? And are there any disadvantages to working in the aerospace industry?

¹ https://www.iata.org/en/pressroom/2023-releases/2023-03-07-01/

Would you like to delve deeper into the topic?
At embedded world Exhibition&Conference 2025 from March 11 to 13, 2025,
you will have the opportunity to exchange ideas with industry experts.

To the TicketShop

The avionics bay of a commercial airliner with its exchangeable LRUs.

How to make a small fortune in the airline industry

There is a well-worn joke about airlines that asks, “How do you make a small fortune in the airline industry? You start with a large fortune!” And this applies to aircraft manufacturers, too. Bringing an aircraft to market requires staying power and plenty of money.

The Boeing 747 was conceived in the 1960s as air travel became more affordable. Going into service in 1970 with Pan Am, the aircraft continued to be manufactured for over 50 years. But the program that delivered this icon of our skies cost around $1 billion (equivalent to around $8 billion in 2024). As a result, an aircraft rarely changes once it’s built and has received its airworthiness certificate.

So, despite the electronic industry’s march of progress with wireless over-the-air (OTA) updates, Boeing 747-400s were still receiving monthly navigation database updates on a stack of 3.5” floppy disks in 2020².

The avionics bay of the 747 is fitted with line replaceable units (LRUs), the aviation industry’s term for modular electronic systems. Each system fulfills a specific task, such as the Flight Control Computer (FCC), Air Data Inertial Reference Unit (ADIRU), and Engine Electronic Control (EEC). Should a functionality issue arise, technicians can swap out a defective LRU “in the field” when the plane is next on the ground. This helps keep the aircraft flying and simplifies supply chain management.

LRUs are designed to ARINC 700-series standards³ that define digital systems and equipment used in production aircraft. The modules are then linked to each other and the remainder of the aircraft’s systems using avionic-specific networking protocols, no different from the approach used in industrial and automotive systems. One of these is ARINC 429, a unidirectional broadcast bus connecting a transmitter with up to ten receivers. Messages are transmitted up to 50 times per second with synchronous reception at the receiving end.

² https://www.theverge.com/2020/8/11/21363122/boeing-747s-floppy-disc-updates-critical-software
³ https://aviation-ia.sae-itc.com/product-categories/arinc-standards/700-series

The integrated modular avionics (IMA) technology used in military applications (F-35) was adopted for commercial airliners.

Designing a new aircraft

When a new aircraft design project does kick-off, the team looks for design decisions that will make sense for two or more decades. The project for the Airbus A380, the world’s only full-length double-deck aircraft, started in the 1990s but only came into service in 2007. An integrated modular avionics (IMA) approach was selected, something already deployed in military platforms such as the F-22 Raptor and the F-35 Lightning II stealth combat aircraft. It leverages a collection of embedded real-time computing modules linked using AFDX/ARINC 664 (Avionics Full Duplex Switched Ethernet), a networking protocol designed for safety-critical applications in aircraft.

The modules also offer a common application programming interface (API). As is becoming more common throughout the industry today, such an architecture is designed to allow developers to focus on an application layer that is built upon robust lower layers that handle access to hardware and networks. Should part of the system suffer an issue, applications can even be executed on other modules on the network. Such distributed computing approaches are also being applied in the automotive industry with software-defined vehicles (SDV) and their zonal architectures.

Ensuring avionics software is safe

Like the automotive industry, aerospace has continuously improved its hardware to minimize the risk of failure and contribute to keeping airlines’ millions of daily passengers safe. However, much of this hardware is dependent on software. Standard DO-178, titled Software Considerations in Airborne Systems and Equipment Certification, is used by both the commercial and military aerospace industry, although the military focus is more on mission success rather than safety. It provides guidance throughout the entire software development process, from initial planning to integral and development processes.

Similar to the safety integrity levels of automotive and industrial systems (ASIL/SIL), DO-178 assesses the risks associated with a software anomaly and the potential failure that may result. It defines five design assurance levels starting at E, where a failure condition does not affect aircraft operability. An in-flight entertainment system is an example of a Level E system.

Level D is considered a minor failure condition that would result in inconvenience, such as a flight recorder failure. The highest level, A, is reserved for potentially catastrophic failures. Such an incident would prevent continued safe flight, such as an issue with the fly-by-wire system.

A core focus of DO-178 is software verification and, in addition to testing, it covers reviews and analyses. This process starts with high-level software requirements from which a suitable software architecture and low-level requirements are derived. Each requirement demands tests that prove the requirement has been met. Bidirectional traceability is also needed, meaning the link between high-level requirements and source code can be demonstrated in either direction. Additionally, there cannot be any dead code that doesn’t relate to a requirement.

Signpost to the safety & security area at embedded world 2024.

Code coverage is also needed, ranging from statement coverage at Level C to Modified Condition/Decision Coverage (MC/DC) at Level A. The programming language Ada is often used thanks to its strong data typing and other features. However, aerospace is increasingly using other languages and open-source software.

Reflecting the changing landscape of software development and the power and performance of embedded hardware, DO-178C has been released. This new version of the standard includes supplementary documentation relating to development paradigms such as Model-Based Development and Verification, Object-Oriented Technology, and Formal Methods. These approaches can use model simulation or mathematical techniques to verify correct software functionality, replacing some traditional software testing activities. Furthermore, it provides additional guidance on tool qualification (DO-330).

Embedded suppliers around aerospace

In the past, the aerospace industry wanted MIL-SPEC equipment, a catch-all term that means something fulfills a military standard or specification. However, with many semiconductor vendors having pulled out of this market and project budgets being squeezed, commercial-off-the-shelf (COTS) solutions are increasingly used. For example, while AFDX/ARINC 664 was designed for aerospace, it is based upon the well-known Ethernet protocol and can use COTS components.

Software is another area, with some suppliers specializing in taking COTS software stacks and removing unneeded and dead code. This reengineering process and subsequent testing allow it to be certified for use in aerospace projects.

Many of the real-time operating systems (RTOS) that meet the aerospace industry’s stringent safety certification requirements have a non-avionics equivalent from the same vendor. Then there are the tool vendors providing compilers, debuggers, and software testing environments. These, too, undertake additional certification of their products and tools to meet the demands of aerospace development teams.

Slow innovation

While aircraft are a thing of wonder, the pace of innovation is slow. A decade or more can pass from conception to launch, while the aircraft itself can be in production for twenty years or more. As a result, the opportunity to work at the cutting edge of aerospace may only arise twice in your career. But, if you can live with that, the capabilities demonstrated in both commercial and military aerospace show incredible feats of engineering skill.

And it is embedded systems and software combined with a culture of safety that keep these flying machines safe, tens of thousands of take-offs a day. This industry proves that software can keep us safe and that our lives can be entrusted to embedded systems.