Hello World, this is the first of a series of three articles explaining how to test a secure and safe app connected to avionics.
Avionics modules… What are those?
Per the Federal Aviation Administration Handbook, it is a system that can automatically perform many tasks that pilots used to have to perform manullay. An example is the flight management system (FMS), which defines the flight route and automatically performs most of the course, distance, time and fuel calculations . Avionics requires safety software development depending on its criticality levels assessed by the industrial standards ARP4754A  and ARP4761 . The criticality levels go from A (Catastrophic) to E (No effect).
For instance, the Aircraft’s FADEC (or Full Authority Digital Engine Control ), is Level A.
Mobile apps connected to avionics
First things first. When developing mobile applications connected to avionics there will be a bi-directional flow of information between both devices:
In this case, the application could display information from the FMC, as the completed flight plan after the aircraft has landed, after a request from the application, such as elapsed fuel, wind data, etc.
Are there any test guidelines for applications connected to avionics?
Now, let’s go back to the goal of the article: Why should you test an app connected to an avionics module?
Aiming to find responses, I performed a state-of-the-art investigation in 2019, starting with the information available in the Global Air avionics directory .
The research results:
- Only two companies offer mobile applications connected to avionics
- Three companies offer connectivity to avionics
- Only one company offers connectivity to avionics with certified safety-critical software
And, did I find any guidelines to test an app connected to avionics? The response was NO.
|Company||Mobile apps?||Connectivity to avionics||Certified software?||Products offered|
|Dynamic Engineering||None||Not offered||Yes||AS9100. IO, fan, power filtering applications|
|Garmin||Connext||Offered||No||Provides systems for general aviation without certification for transport|
|GE Aviation Systems||CFMS||Offered||Yes||FMS connectivity for EFB tablet application|
|GSS avionics||None||Not offered||No||GSS100 is the most advanced database analysis tool. GUI for test and analysis in bench not certified (ARINC 429). Mil-Std-1553|
|Honeywell||None||Not offered||Yes||Certified in several platforms. Includes mobility applications but not for FMS or avionics|
|MAX Technologies||None||Offered||No||Applications for bench ARINC 629 analyzers|
|Rockwell Collins||None||Not offered||Yes||Mission Flight Management Software (MFMS-1000), Avoidance Re-router (ARR-7000) software. Virtual avionics software products|
|Universal avionics||None||Not offered||Yes||FMS trainer|
The world is not just avionics
After getting the first NO, I went through a different investigation path, to understand another type of safety-critical systems, as the whole world is not just avionics, right?
As a result of this, I found safety-critical systems as medical, nuclear or power controlling.
For instance, Everbridge offers mobile the safety-critical medical application CARECONVERGE, a Critical Event Manager with key features to monitor critical medical events .
Was I lucky enough to find test recommendations for applications connected to these types of safety-critical systems?
The response was once again NO.
Applications running in a RTOS
After two “failures” I went through a third investigation line: Are there any test recommendations for mobile applications running on a Real-Time Operating System (RTOS)? Let’s talk about it.
First of all, it is important to clarify that a RTOS is an Operative System (OS) with modular design and complies with predictability, reliability, stability, multitasking and other characteristics.
So, are the apps on my mobile phone running under a RTOS? Let explain this through
A verification checklist for iOS
|Characteristic||Complies with RTOS?||Why|
|Reliability||No||OS should operate without failure for a certain period of time|
|Predictability||No||OS is expected to complete tasks (email, messaging, social network, uploading/downloading data) within a specific timeframe|
|Performance||Yes||OS can process several outputs and at the same time is receiving inputs, how well complies with requirements in a timeframe|
|Compactness||Yes||OS can be small, portable|
|Scalability||No||OS can be upgraded to a newer version, but this is limited to the HW version.|
E.g.: An iPhone 3G cannot have an iOS 12.3.1 installed
|Pre-emptive||Yes||OS basic functions as calling (receiving, sending) are preemptive over a music player, or a game; this is, they can interrupt other tasks that have higher priority|
|Multitasking||Yes||OS can be in a call, and at the same time receiving an email, SMS or application notification (as from a newspaper). Seems like activities perform at the same time|
|Synchronization||Yes||OS can sync between information as pictures from different applications (Facebook, WhatsApp) with different storage devices (internal memory, Google Drive, iCloud)|
|Interrupt and Event Handling||Yes||OS has an interrupt vector that manages reception of emails, SMS and notifications from web site applications (as newspapers)|
|Input/Output||Yes||OS display information on screen, send information to the network, to another phone via a call, and constantly receive information|
|Inter-task Communication||Yes||OS manages message queues and memory|
|Timers and Clocks||No||OS only one task can be executed at a time and there is no timer for the task to expire|
From the assessment made, iOS 12.1 only covers 66% of the RTOS characteristics, is not deterministic, an application can crash no matter if it is safety-critical or not, impacting the reliability, therefore iOS is not an RTOS.
Then, should I continue through this investigation path? I think yes.
Verification methods for FreeRTOS
The research continued and I found verification methods for FreeRTOS. EUREKA? Please don’t claim victory yet Óscar.
C. Pronk documented a case of study to verify the properties of FreeRTOS, an Android modified OS kernel that complies with safety-critical applications and RTOS requirements such as functional correctness, problems of implementation language, timing properties, safety properties, liveness properties, and fairness properties 
Are these verification methods satisfying our testing needs for secure and safe applications connected to avionics? Unfortunately NO.
Why? Because Pronk’s test methods are focused on verifying the RTOS characteristics, not to the applications ones.
So, how can I test my app connected to avionics?
Well, this investigation resulted in a test to my resilience and not to applications!
So, I decided to go to a fourth path and defined my own method to test secure and safe applications connected to avionics, by merging the test requirements from OWASP  and DO-178C .
I will explain this to you in detail in the following articles that will be published on coderskitchen.com.