Setting a Foundation for Software Architecture
Safety-critical components need to interact safely with less reliable and even unsafe components. For example, the flight control component in an autopilot is certified to DO-178B Level A (the highest level). However, it needs to accept guidance commands from a flight guidance system that is certified only to Level C. Nevertheless, avionics certification requires that Level A software must still function correctly in spite of the software failures in less-critical components.
The SEI developed an architecture template called the Simplex architecture, which supports overall safety when a system is composed of both reliable/safe components and less reliable/less safe components.
In the Simplex architecture, a system is divided into two parts: a complex component that cannot be fully verified but is needed to provide an important service and a high-assurance control subsystem that is simple and fully verified. The Simplex architecture also ensures predictable and guaranteed timing behaviors in spite of failures of complex components and allows restarting or replacing complex components during operation. Notable applications of Simplex architecture principles include the F-22 and F-35 aircraft.