[EN] Pulsar Factory : Certifiable and modifiable autopilots
International drone regulation, and in particular European regulation, is evolving around the principle of “risk-based regulation”. This intuitive concept lead to the fact that low-risk operations are less restricted than high-risk (providing higher-added value) ones. It also means that activities like urban operations, BVLOS (Beyond Visual Line of Sight) operations and even people transportation will have to meet safety constraints that are close to the ones that exist in the civil avionics industry.
To reach such a high level of safety and reliability, it is required that critical embedded software like autopilots (or flight controllers) meet all the DO-178 certification objectives. The UAV ecosystem is not as wealthy as the manned civil aviation and the cost of certifiable software is usually not accessible for most drone manufacturers.
Pulsar Factory provides drone manufacturers and integrators a software autopilot that meets the DO-178 certification standard whilst taking into account technical and financial constraints of the UAV ecosystem.
Thanks to the activities performed by EASA for 5 years now (A-NPA 2015–10), drone regulation is starting to be harmonized at the European level. In 2019, two laws were voted by the European Parliament (2019/945 et 2019/947). These texts set up 3 different operational categories that rely on the risk based approach:
“Open” : Low risk category;
“Specific” : Medium risk category;
“Certified” : High risk category.
Air taxis do not belong to any of these categories and will need to comply to, among other regulation, to the SC-VTOL. In this article, we will focus on the “Certified” category and Air Taxis.
The scope of the “Certified” category is defined in article 6 of the 2019/947 regulation, and covers the following operations:
Operations that involve flying over gathered people;
Operations that involve people transportation;
Operations that involve the transportation of dangerous goods;
Operations deemed too risky for the “Specific” category.
Moreover, article 40, indentation 2 of regulation 2019/945 states that drones operating in the “Certified” category, shall follow usual civil avionics certification, meaning that embedded software shall meet the requirements of DO-178C standard.
Hence, we see that drones operating in the “Certified” category and Air Taxis (and also the riskiest part of the “Specific” category) shall follow civil avionics standards. To meet these requirements, the whole industry shall face several issues. We will go through them in the following section.
Certification in the drone industry
DO-178 certification ensures a tremendous amount of safety and reliability, and as we have seen, it is mandatory for drones operating in the riskiest categories. But it also comes with constraints, among them the cost and skills required to develop such software.
In manned aviation, certifiable software is usually custom built, following manufacturers’ requirements. Such a development comes with significant costs, due essentially to rigorous verification and validation activities.
Manned civil aviation can afford such cost, but the drone ecosystem currently cannot. The challenge therefore is to find a way for manufacturers and integrators to build highly-reliable and safe software at a cost adapted to economic constraints.
The development of embedded software compliant to civil avionics standards requires a deep knowledge of such standards, whilst also understanding all the activities that are required to create the certification artefacts.
These skills are almost entirely to be found in large civil avionics companies, and are very scarce among drone manufacturers and integrators.
Pulsar Factory’s aim is to provide safe and reliable software at an affordable price.
Pulsar Factory - An autopilot development framework
Pulsar Factory aligns the advantages of a COTS autopilot (cost) and those of a custom built one (adaptability), while providing a DO-178 certification solution.
Pulsar Factory gives access to all the certifiable building blocks of the Pulsar autopilot and the ability to develop custom blocks to take into account the specificities of the drone or of the operation. This section explains how the tool works.
Pulsar is made of components (software blocks) that all have a very specific role and that are completely separated. The table below shows some of these components:
All these components are compliant with the DO-178C DAL A civil avionics standard, delivering all the artefacts required to prove compliance to the authorities.
Pulsar Factory gathers all these components to create the autopilot, generate the binary, and flash it on the target hardware when required.
Pulsar Factory also provides a development environment allowing manufacturers to replace some existing components by those developed in-house (or any other exterior company). These components are then integrated into an autopilot containing the manufacturer’s specificities.
As an example, we often see that a manufacturer wants to develop their own control and command laws algorithms. It has the following advantages:
Control and command algorithms will be perfectly adapted to the drone, which is important for drones having a complex architecture;
Control and command laws will stay the sole intellectual property of the manufacturer.
Such flexibility is also interesting for driver components for example and other components, depending on the manufacturer’s requirements.
Pulsar Factory allows manufacturers to develop their components using Ada, C or Simulink®, allowing them to choose the language that will make them as efficient as possible. Pulsar Factory relies on tools supported and maintained by AdaCore, in particular GNAT Pro and QGen.
Pulsar Factory allows manufacturers to build binaries and to flash them on the hardware by themselves. It gives the ability to make modifications and to test them in flight very rapidly hence to have a very fast feedback loop between development and test.
Once components are developed by manufacturers and if it is required, we can help them to perform certification activities on the modified components (and only on the modified components!). Components developed by Hionos will not be impacted. This approach helps to reduce the cost of software certification by up to 80%.
The following video shows Pulsar Factory in use modifying the Notification_Manager component.