Design, Implementation, and Verification of Fault-Tolerant Modular Aerospace Controls Honeywell NCC-1-377

1. Design, Implementation, and Verification of Fault-Tolerant Modular Aerospace ControlsHoneywellNCC-1-377 • Objectives • NASA: A case study for the application of Formal Methods in the certification of the fault tolerant modular architecture • Honeywell: A highly reliable and safe system assured by formal verification and certification • TTTech TTA • Architecture hardware and software tools supplier • Architecture-enforced partitioning and transparent fault-tolerance capability • Honeywell MAC (FADEC) • Modular approach • High product assurance, reliability, and safety • Reduced NRE and RE costs • Modular certification • Reuse - multiple applications • SRI Formal Methods (FM) • Formal specification and verification of TTA properties • Formal verification of modular certification concept NCC-1-377, Honeywell Tucson

2. What is MAC? • Modular Aerospace Controls (MAC) • MAC is a common Honeywell development platform that deploys modular electronics, common development environment and tools, and an open communication protocol • The MAC platform was created to enable low-cost development and support of FADEC applications The Next Generation of Aerospace Electronic Systems NCC-1-377, Honeywell Tucson

3. Today’s MAC Fits a Variety of Applications pS pS pS SFM 3 IOM 2 IOM 4 IOM 1 IOM 3 IOM 5 IOM 6 IOM 6 CPM 1 PSM 1 pS IOM 2 IOM 1 IOM 3 SFM 1 CPM 1 PSM 1 pS SFM 1 CPM 1 PSM 1 Large Engine Control • Uniquely capable • Low cost, harsh environment, fault tolerant • Pre-qualification and semi-independent certification • Industrial / automotive components & technology • Partitioned operating system & application software • Dramatic development cost and cycle time reduction • Longevity through proactive obsolescence management • Increased reliability through volume manufacturing and 6 • Facilitates simplified overspeed and uncommanded thrust protection RE-USEABLE MODULES Medium Engine Control Small Engine Control NCC-1-377, Honeywell Tucson

4. MAC Benefits for Redundant Flight Critical Systems • Serial link bottleneck between channels • Custom bus controllers, complex addressing • Not easy to accommodate changes • Inefficient utilization of redundancy • Data latency issues to be dealt with • Many single failures warrant channel swap or degraded operation • TTP/C Bus Eliminates Bottleneck • Easily re-configurable via TTTech COTS tools • Configurable I/O modules plug into bus • Redundancy is efficiently managed • Redundant I/O is available on bus without latency • Failures are localized; remainder of system is available • Replica Computations between GPMs Provides Improved Data Flow and Redundancy Management NCC-1-377, Honeywell Tucson

5. Design Correctness and Certification Developed approach for Modular Certification supported by formal analysis Presented to Industry and FAA Active participation in RTCA SC-200/EUROCAE WG-60 “Modular Avionics” by all team members Honeywell Tucson Honeywell Labs SRI International TTTech NASA Langley Fault-Tolerant Integrated Modular Avionics Developed modular architecture based on TTP/C Formal Analysis of key fault-tolerance protocols Several Products in Development Aermacchi M346 Dual-FADEC First delivery 11/02 F110 MDEC for GE (F16 mid-life upgrade) Kickoff 8/02 Planned response to Boeing 77 initiative for modular architectures Expect starts for civil products in 2004 NCC-1-377 Accomplishments NCC-1-377, Honeywell Tucson