Historically, avionics systems have largely been designed to fit a single application need, such as an attitude indicator or central warning system. The software-intense designs of today’s avionics systems are quite a contrast to their analog predecessors. When the use of software in avionics computers became popular in the 1980s, FAA encouraged developers to certify software by following a guidance document, RTCA/DO-178B. Depending on the application, developers had to demonstrate their software was airworthy by showing compliance to many or all of the 66 objectives in DO-178B.
Since the early 1990s, the level of complexity in avionics designs has greatly increased. Now avionics systems are designed to support more than one application, using a partitioned operating system and memory management units to ensure applications have adequate separation. The benefits of this Integrated Modular Avionics (IMA) architecture include reduced weight, improved modularity and increased reusability.
The effort to demonstrate that such designs are airworthy is considerable because partitioned systems are approved to handle mixed levels of DO-178B software categories. This requires designers to demonstrate that use of shared virtual and physical resources do not violate partitioning, and that any fault within a non-critical system be contained such that it has no effect on a critical system.
IMA designs bring in the notion of time, space and resource partitioning. IMA architecture contains a partitioning kernel that runs in supervisor mode and provides brick-wall partitioning of memory, time and I/O resources. The partitioning kernel provides applications with a full set of operating system services and the basic functionality needed to support the underlying hardware. Within each partition, the applications execute in user mode completely isolated from other applications. A time- and space-partitioned operating system that employs a memory management unit is required to fully support the concept of running multiple applications on a single hardware platform. The operating system makes each application behave as if it has exclusive use of the platform when, in fact, it is sharing the platform with many other applications.
The Arinc 653 standard defines the services that an IMA operating system should provide to applications and supports the concepts of modularity, reusability and portability of applications and operating systems. Most commercial and military aircraft produced by Boeing and Airbus are designed using IMA, demonstrating modern computing platforms can meet stringent safety requirements. IMA is being extended to meet safety and security requirements.
Most often one thinks of avionics and security in terms of military aviation. The avionics security landscape is changing rapidly as the world becomes more connected. Consider that airborne communications, navigation and collision avoidance systems often rely on information from remote sources, making them vulnerable to unauthorized external influences.
The need for both safety and security pairs requirements for RTCA/DO-178B with requirements from the Common Criteria. The Common Criteria, also known as ISO 15408, is a framework used to address security requirements in information technology products.
The evaluation of security software through the Common Criteria defines "evaluation assurance levels" that indicate the development process associated with information technology product. The actual "evaluation assurance levels" required for a given application depends on the security threats to the system and its software. An example of an avionics system that requires safety and security approvals is a GPS receiver for military applications. Historically, these special functions would be accomplished using software on a separate microprocessor so no classified information would be shared outside of that processor.
Today, both classified and unclassified functions can be executed on a single processor using a separation kernel, a small but verifiable time and space-partitioned operating system. The functions are partitioned into virtual containers and communication between these functions is handled by the separation kernel.
No longer is IMA used mainly to meet safety requirements, reduce weight, improve portability and reduce costs. IMA has been extended to address the emerging requirement for security. The separation kernel will become the foundation of future avionics designs and likely has benefits for other applications beyond avionics.
Joe Wlad is director of product management with LynuxWorks, San Jose, Calif.