For+aircraft%2C+rockets%2C+satellites+%E2%80%A6+DNV+develops+SOFTWARE+PRODUCT+CERTIFICATION

Far from the sounds of shipping or the aromas of the process industry – two of DNV’s traditional areas of activity – its offices in Toulouse, southern France, are home to a dedicated team of aerospace engineers and software specialists. Here, in one of the major centres of Europe’s space industry, DNV is developing certification schemes for the next generation of satellite-based navigation systems, the European Space Agency’s GALILEO.

Print this page Save as PDF
Det Norske Veritas has been actively involved in Europes aerospace industry since 1986, when it achieved its first contract with the European Space Agency, ESA this was to monitor technical and safety aspects of the European manned-spaceflight programme. That same year, under the co-operative Eureka umbrella, DNV helped initiate the joint-venture Formentor project, to develop a computer-based system to recognise and act on malfunctioning rocket equipment.

In 1987 Norway became a full member of ESA; DNV established its independent Space and Communications project unit to support its space activities, and today offers a comprehensive service in information systems, telecommunications, remote sensing and measurement, environmental control, and life-support systems. Then and throughout the 1990s, DNV has been involved in numerous projects which have dominated European space activities; some of them are highlighted on p. 18.

The Galileo project
Satellite navigation systems are already indispensable to a wide variety of transport users civilian and military aircraft, worldwide shipping, and a growing segment of land transport. They have also to wider publicity helped explorers in the Arctic, the desert and the jungle.

But current global navigation and positioning systems, the American GPS and Russian GLONASS, are militarily controlled, and the aim of ESAs European Satellite Navigation Programme, ESNP, is to build a satnav system that is under civil control, more accurate than existing military systems, and with greater integrity and long-term availability.

DNVs competence in software-system certification led to its involvement last year in the European Geostationary Navigation Overlay System, EGNOS, a research project to validate the concept of a European equivalent to existing global positioning systems. Prime contractor for this is Alcatel Space Industries.

Taking up the story is Sophie Chevillot, DNVs station manager in Toulouse: This proved an important reference for DNV in our being appointed prime contractor to ESA for the next step in the ESNP work, a study contract for the Galileo system software certification. The Galileo project aims to place navigational satellites in orbit, as part-payloads in future European or American rocket launches; DNVs previous work in telemetry and software for ESA will stand us in good stead in its software certification.

Here in Toulouse, with support from DNV experts in Paris and in Høvik, we already have a respected position in advisory and certification services, including all the DNV Rating Systems, TickIt certification, and Project Risk Management the latter, for example, for Airbus Industries A3XX series of aircraft.

Software certification in practice
As prime contractor to ESA in the Galileo System Software Certification study, DNV is responsible for three subcontractors: Aerospatiale Matra Airbus (AMA), employing 12,000; Matra Marconi Space (MMS), with 2,000; and software expert Laboratoire dAnalyse et dArchitecture des Systémes (LAAS). In addition, U.S.-based Certification Services Inc. will act as consultant to DNV in the context of civil aviation requirements.

The study will be in two phases, each of about a year. The first will identify software design fault-tolerance mechanisms for Galileos main subsystems, identify software-certification requirements for these, and propose a certification development plan. Second phase will parallel the evolving development of the Galileo system and its architecture, and refine the proposals of Phase 1.

Manager of the software methods department in AMAs Systems and Services Directorate is Gérard Ladier. Explaining the companys software development in Toulouse last month, he pointed out the growing importance of certification of safety-critical software. All equipment suppliers to the aerospace industry must meet the DO 178B international certification standards for avionics software. In Aerospatiale, we set up a dedicated team to develop software for on-board equipment, and have recently been assessed to Level 2 of the CMM programme.

There are common requirements in all critical software, whether it is in the aviation industry, nuclear power generation or telecommunications. This latter is of growing importance, by the way, to all life-threatening applications. Another characteristic today is that less software is developed in-house, and more comes from commercial suppliers in their own equipment; as DO 178B standards specify that the prime manufacturer must have total control over the end product, we have to develop new means of testing and controlling such commercial off-the-shelf (COTS) equipment. Either we must cooperate with the supplier, to have access to his systems documentation; or design an architecture which can handle this outside software.

Among the advantages that DNV brings to avionics software certification is its knowledge and experience of other disciplines. Some of the problems we face may already have been met and overcome in other industries.

Growing criticality
Also in Toulouse we met Frédéric Voulouzan, deputy manager for products and services coordination in the Data Processing & On-Board Software Division of MMS. Software certification is a new concept, he explained, but we already apply a stringent internal quality regime. About 40 per cent of our work is for commercial clients, 60 per cent for ESA and similar organisations. For these latter we must meet, not Code requirements, but aerospace-industry developed standards. These reflect the need for very high reliability after all, in most cases there can be no subsequent access to satellite hardware!

As more and more software is installed in aerospace equipment, its criticality grows. For the past two years the industry has had a policy of continuous software process improvement. There are two extremes of availability and reliability requirements: a rocket may have a service life of 20 minutes, its payload a life of ten to 15 years. So an essential criterion for space systems and their software is fault-tolerance. Such technology may help cut certification costs by reducing the criticality of each individual element.

Unlike the present GPS, performance of the Galileo system will be largely guaranteed; hence the authorities demand certification of the entire project, including the software.

Looking further ahead, I foresee wide potential for other applications of software certification, such as telemedicine, nuclear power and even bank ATMs.

A growing role for DNV
DNVs contract manager for the current Galileo work is principal engineer Arne Kjensmo. For many years, he says, DNV has been increasingly concerned about the quality and reliability of software and systems, particularly those which form part of safety-critical monitoring and control.

The growing proportion of software content in systems and products in areas other than aerospace, such as telecoms, transport, energy, finance and the process industries, calls for increased attention to issues of software quality. In September 1998 DNV agreed with one of the worlds leading telecommunications companies, L.M. Ericsson, to jointly develop worldwide software-quality services. DNV acquired 50 per cent of the Ericsson-owned company Q-Labs, specialising in software engineering and process improvements.

A step further in DNVs goal of improving the quality of safety-critical software has been to focus on software product quality. An important milestone has been to enter into a strategic alliance with Isoscope SA in Toulouse, a specialist in software product evaluation and improvement services.

R. Keith Evans

Date: 2000-05-15

Downloads

Key DNV aerospace contracts

Following its early involvement in ESA programmes, DNV established in 1990 a new company, DNV Industrial Development AS, with separate space and defence departments: the former handled European aerospace projects such as the Columbus orbiting space station, Hermes shuttle and Ariane rockets, all then seen as vital in the success of an autonomous European space capability.

Priority was product assurance services for ESA looking at quality, safety, reliability and maintainability, and the selection of materials and components. DNV also undertook safety and reliability studies of the European Space Operations Centre in Darmstadt, Germany.

Other highlights

  • Study of reliability, availability, maintainability and safety (RAMS) of the Huygens space probe, for Aerospatiale Espace & Defence.
  • Review of the French space centres product-assurance system for the Hermes and Ariane-5 projects, for ESA.
  • Study of product-assurance data collection for Daimler-Benz Aerospace Dornier GmbH.
  • Establishment of quality standards of optoelectronic components, for ESA.
  • Principal surveillance authority for the Ariane-5 rocket programme, for ESA.

Together with its partners Q-Labs and Isoscope, DNV today offers a wide range of services for managing risk in software products and systems, in both aerospace and land-based industry.