Software Fault Protection with ARINC 653

With flight software becoming ever more complex, assuming that it behaves perfectly is no longer realistic. At the same time Verification and Validation (V&V) is consuming up to 50% of flight software development costs. The adaptation of fault protection concepts to flight software is attractive, particularly in the context of the fault containment and health management capabilities of ARINC 653. We propose a proactive, unified, model-based approach in which the behavior of the software is monitored against a model of its expected behavior. We describe how that may be incorporated into the ARINC 653 health management architecture. We describe software capabilities that facilitate software fault protection. These capabilities include enhancements to the ARINC 653 application executive, tools for software instrumentation, and a temporal logic runtime monitoring framework for high-level specification and monitoring. We analyze the aspects of the software that should be modeled and the types of failure responses. We show how these concepts may be applied to the Mission Data System (MDS) flight software framework.