Friday, June 1, 2012
Product Focus: Real-Time Operating Systems
Developers of RTOS must balance safety, security and functionality with industry standards to deliver new systems to the ever-demanding market
During the next few years, the technology needed to meet NextGen requirements will be added to aircraft cockpits already bristling with advanced systems. As it is doing now for many safety-critical systems on commercial and military aircraft, real-time operating system (RTOS) software will likely provide support for those NextGen systems, such as Automatic Dependent Surveillance-Broadcast (ADS-B). Adhering to stringent safety standard requirements, technology companies are developing and deploying complex RTOS environments designed to execute applications and help hold down size, weight and power use as new functionality is added.
“Real-time operating systems serve a critical role in ensuring safety at the processing level because they guarantee that hundreds, if not thousands, of specific algorithms get executed on time every time,” said Larry Miller, chief engineer, real-time operating systems at Honeywell. “If you take the example of a traffic collision-avoidance system (TCAS) or a ground proximity warning system (GPWS), avoiding an air-to-air collision or a controlled flight into terrain incident can very well depend on the integrity of an RTOS.”
|DDC-I’s Deos safety-critical RTOS is used to host DO-178B certifiable avionics software for air data computers, air data inertial reference units, cockpit video, displays and flight instrumentation, electronic flight bags, enhanced ground proximity warning, flight control, flight management, maintenance, power distribution, radios, traffic collision avoidance and weather radar|
“If you look at all the requirements (for those NextGen programs), many of them but not all are safety critical,” said Robert Dewar, co-founder, president and CEO of New York-based AdaCore, a computer software company that provides open source software tools and expertise for the development of mission-critical, safety-critical and security-critical software.
The increased use of and appreciation for RTOSs, designed to run embedded applications requiring precise timing and a high degree of reliability, has coincided with the emergence of complex digital software systems and microprocessors. A RTOS, which offers “services to the application programs, is the most efficient way to utilize all that processing power that is out there,” said Greg Rose, vice president of marketing at Phoenix-based DDC-I.
DDC-I is one of several companies competing in this market that also includes Wind River, LynuxWorks and Green Hills Software. These companies are providing baseline real-time operating systems along with a variety of RTOS-based products.
|Operating systems can be partitioned, as described by the above diagram from LynuxWorks, when multiple applications need to share a single processor to ensure one application does not bring down another in the event of failure.|
By allowing multiple applications to run on a single platform, partitioning also limits size and weight gain from the added technology on already cramped flight decks. “A cockpit regardless of whether it is civil or military has limited space … (and) unfortunately you can’t stick a lot of extra boxes to do this functionality” as would have been done in the past, said Robert Day, vice president of marketing at LynuxWorks, of San Jose, Calif., which offers a variety of RTOS products including the LynxOS. The LynxOS-178 RTOS by LynuxWorks received FAA acceptance for reusability for DO-178B certification, allowing it to be used on more than one project without having to regenerate certification artifacts.
Underlying these capabilities are key safety standards or specifications DO-178B and ARINC 653 which are designed to ensure the systems are “reliable and … work consistently,” said Day. On aircraft, “the software has to run the same every time... it has to do what it says it is going to do when it is supposed to be doing it. If a fault condition occurs it has to be dealt with without bringing everything down including the airplane.”
To begin, “the whole (system) platform needs to be qualified and go through safety analyses,” said Chip Downing, senior director of aerospace and defense at Wind River, based in Alameda, Calif. “You have to go through certificate standards DO-178B and now DO-178C for software and then DO-254 for hardware … (and) map all the capabilities around a piece of hardware or software back to real hard requirements before achieving that certification.”
“DO-178B is … a beautiful standard because it is widely accepted, it had wide industry participation, it is widely proven, (and)... has a great track record of safety,” said Downing.
While it is a civil standard, “we have seen over the last decade of so … that the military has started (informally) … to adopt DO-178,” said Tim King, technical marketing manager at DDC-I.
There are “five levels of criticality from level A that is most strict to level E,” said John Bevins, director of product marketing at LynuxWorks. Level A might include flight control devices or computers that are flying the airplane on auto pilot, for example, “if they failed they would result in catastrophic events like death.” On the other end, “Level E might be the entertainment computer that plays the movie.”
Veteran RTOS companies say they have largely included DO-178B requirements in their software development process. Still, “it is not necessarily a simple set of processes … because you are talking about very complex functions and some very complex software … so it is a barrier to entry,” King said. “Probably the biggest challenge that we have found is being able to follow DO-178B and do it efficiently and effectively.”
Developers are now studying the latest revision of the standard: DO-178C. Since DO-178B is a standard that gets some of its value from the fact that it has worked well for some time, RTCA and EUROCAE have “been very conservative in DO-178C,” Dewar said. The key areas addressed include tool qualification, ensuring the tools used to demonstrate a safety case must be certified, he said. It also provides “advice and procedures for handling an object oriented approach” that includes the potential use of formal methods and provides information about how to certify a development approach that uses of modeling languages, such as Simulink, “which are becoming much more used in avionics applications.”
“The DO-178C, as far as we are aware, is not something that is actually being used to certify software applications right now, so we are following (it) to see … what impact that will it have on our software operating system,” said Day.
Like DO-178B, “ARINC 653 (Avionics Application Standard Software Interface) is a great standard that has stood the test of time: it has been around for 20 years now and has gone through minor revisions, but it has been deployed to many, many aircraft,” Downing said.
ARINC 653 lays out the specification for space and time partitioning in safety-critical avionics RTOSs. It allows developers to divide up a single system putting some low importance, non-safety critical applications in one partition and safety critical applications in another. Importantly, “we know by mathematical proof that information cannot leak from one to another (partition or) separation kernel,” said Dewar.
ARINC 653 has sparked industry trend toward the use integrated modular avionics (IMA), “which basically (involves) bringing more and more functionality that had been discreet systems into a single system (using) an RTOS to run multiple applications,” said Day.
The immediate gain from an IMA has been savings in size and weight. For example, by using the VxWorks 653 platform on the GE common core computer on the Boeing 787 to support software from more than 10 different suppliers, “we were … able to remove scores of line replaceable unit functionality” which also eliminates a significant amount of weight, said Downing. Also, with all the different software and vendors involved, the level of integration afforded by ARINC 653 would not have been possible 10 years ago. “There would just be too much IP (intellectual property) leakage.”
IMA is also creating “a level of integration where the different components actually can pass messages to each other,” such as the GPS passing to flight control systems immediate location information. “Before they were discrete components (and) … would have to find a way of actually physically connecting to one another… but now they can do messaging via the operating systems” since “basically there is a scheduling and message passing standard that allows that in the (ARINC 653) avionics applications.”
The specification allows “multiple applications to communicate in a very controlled way, so that no other information can be passed that is not intended (and) no damage can be done; still, it allows essential communication to occur in a very defined and precise way in each direction,” added Bevins.
Meanwhile, DDC-I has introduced real-time operating system products supporting the ARINC 653, Part 4 strict subset, which was published late last year. Part 4 is specifically defined for systems that do not require the size, complexity and features of the full specification, such as the majority of the Line Replaceable Units (LRU) on next-generation aircraft. “We think it is going to address a lot of the open systems concerns that are driven largely by the military, but also by some commercial vendors like Boeing and Airbus,” said King.
There are other key ongoing standards initiatives including the Future Airborne Capability Environment (FACE) Consortium, a group of nearly 40 avionics manufacturers, military organizations and other companies. This year, the group released the FACE Technical Standard, which provides guidelines for creating a common operating environment to support applications across multiple Department of Defense avionics systems. (For more information in the FACE Standard, see page 30.)
FACE is built upon ARINC 653 with a combination of POSIX (Portable Operating Systems Interface) calls on top of that to get the extra capability, so it has a really nice mixture of avionics and … traditional enterprise platforms, (and) you can bring in code from different platforms,” Downing said. “When it comes to military platforms, the challenge is how to mix legacy and new software,” and providing additional POSIX capability on a global avionics standard like ARINC 653 is a good way to do that, said Downing.
With an eye toward tapping the power of the multi-core CPUs, RTOS companies are offering a variety of virtualization platforms, such as the Wind River Hypervisor and LynuxWorks Lynxsecure Embedded Hypervisor. These virtualization platforms essentially allow for running of multiple operating systems on a “virtual operating platform.” Instead of just running an RTOS, for example, “an embedded virtualization platform like our hypervisor … allows you to run a real-time operating system and something like Red Hat Linux,” said Downing. In turn, this allows aerospace and defense companies to use applications from the enterprise system with a real time application.
“We also have multilevel secure implementation (which is) something of a virtualization that allows you to have different containers of different levels of security on a shared processor.”
“Using virtualization software is … technically doable (but) … there are some certification hurdles (to be cleared) as people are trying to use avionics software on multi-core processors,” said Bevins. In fact, the use of RTOS with “multi-core (CPU) has been a problem for us in terms of certification … because the hardware companies won’t give us the guarantees we need,” said Dewar. For now, “it is fine to use a multi-core CPU but you can only use one (core); (software developers) shut off the others because they are not confident (there won’t be) interference.”
Next month: Electronic Flight Bags
Avionics Magazine’s Product Focus is a monthly feature that examines some of the latest trends in different market segments of the avionics industry. It does not represent a comprehensive survey of all companies and products in these markets. Avionics Product Focus Editor Ed McKenna can be contacted at firstname.lastname@example.org.
Alta Data Technologies www.altadt.com
Curtis-Wright Controls Defense Solutions www.cwcontrols.com
Ensco Inc. www.ensco.com
Express Logic www.rtos.com
GE Intelligent Platforms www.ge-ip.com
Green Hills Software www.ghs.com
Kontron AG http://us.kontron.com/index.php
Mentor Graphics www.mentor.com
Mercury Computer Systems www.mc.com
Microsoft Corp. www.microsoft.com
National Instruments www.ni.com
Objective Interface Systems www.ois.com
QNX Software Systems www.qnx.com
SYSGO AG www.sysgo.com
TTTech Computertechnik AG www.tttech.com
Wind River Systems www.windriver.com