Monday, April 1, 2013
Real-Time Operating Systems
Standards initiatives, including FACE and DO-178C, within the avionics RTOS community aim to tackle security and certification challenges
As military and civil aircraft add more capable and connected technologies, real-time operating system (RTOS) developers are facing growing security concerns and challenging certification issues. Key tests include addressing potential network vulnerabilities and the soon to be deployed multi-core processor architectures. Also on-deck is the certification of unmanned aerial vehicles (UAV) that are likely to soon be operating in commercial airspace. Critical to tackling these and other challenges are the ongoing standards initiatives, such as DO-178C and the Future Airborne Capability Environment (FACE), aimed at keeping up with changing technology approaches and boosting greater efficiency and lower costs.
Over the past few years, RTOSs have given a big boost to industry efforts to improve safety while trimming size, weight and power (SWaP) use and cost. The technologies themselves “allow systems to use more processor bandwidth and … for more subsystems to run single physical systems,” said Robert Day, vice president of marketing at San Jose, Calif.-based LynuxWorks. “Partitioned RTOSs, such as LynxOS-178, take that one step further and allow subsystems that run at different levels of criticality to safely co-exist on a single hardware platform, (reducing) the need for as many physically separate systems.”
The use of partitioned systems, certified under safety standards DO-178B and ARINC 653, has surged on military and civil aircraft worldwide. For example, LynuxWorks recently inked a deal with Rockwell Collins to provide its LynxOS-178 for Rockwell’s Pro Line Fusion avionics system, a deal that underscores “the fact that these products have now been through certification and are being actively deployed in new aircraft,” said Day. “New market segments, such as the business jet market, further expand the reach of standards-based software and benefit from the software’s ability to reduce the time and cost of platform development and its subsequent certification,” Day said.
Additionally, LynuxWorks received FAA Advisory Circular AC 20-148 approval for reusable software components authorized for the LynxOS-178 product used in the Rockwell Collins Adaptive Flight Display Runtime, Common Computing Module Runtime, Data Concentration Module Runtime and Synthetic Vision Module Runtime for Pro Line Fusion.
Wind River’s partitioned RTOS — VxWorks 653 grew out of industry specification developed by Honeywell and Boeing for the 777. “We now have 294 programs using our VxWorks 653 product,” said Chip Downing, senior director of aerospace and defense at Alameda, Calif.-based Wind River.
DDC-I’s emphasizes “reusability” with its space and time partitioned RTOS called Deos. “Deos supports modular application architectures, so that our customers can reuse not only their software, which is important, but more importantly … any certification and other similar types of artifacts that go with that,” said Tim King, technical marketing manager at Phoenix-based DDC-I. In the safety mission-critical world, “most of one’s schedule and cost is in developing those artifacts,” he said. “The software itself depending on (its) … level of criticality … might be 10 percent of the overall investment.”
Deos safety-critical RTOS is used to host DO-178 certifiable avionics software including functions such as air data computers, air data inertial reference units, cockpit video, displays and flight instrumentation, electronic flight bags, enhanced ground proximity warning, flight controls, flight management systems, maintenance systems, power distribution systems, radios, traffic collision avoidance systems and weather radar.
Even as the different partitioned systems tackle SWaP and cost concerns, security has grown as a key issue, according to industry officials. It is a volatile landscape out there with new types of threats emerging constantly, “posing challenges for the entire software industry whether enterprise or embedded or in between,” said Downing.
The partitioned operating systems “are good for containment of safety fault conditions, but typically do not actively protect or look for malicious attacks or faults,” said Day. Furthermore, with the growth of connected systems, “one now has to worry about security breaches and attacks over the network, and so safety concerns are no longer about just fault conditions, but also about malicious fault conditions.”
In fact, security has risen to “the top of everyone’s mind right now because it is something we have ignored, especially (in) … safety certification work where we had standalone disconnected systems,” said Downing.
This emphasis on security has pressed RTOS manufacturers to put “increased energy into getting MILS [Multiple Independent Levels of Security/Safety] certified Kernels out,” said Robert Dewar, co-founder, president and CEO of AdaCore. The New York-based software company works with RTOS companies including Wind River. Its GNAT Pro Ada 95 compiler and development environment is playing a key role on aircraft including the 787, C-130J and KC-767 tanker. The company is launching a new version of Ada, a computer language that is well suited to the safety critical domain.
“We now run our safety-critical RTOS on top of our LynxSecure secure separation kernel that gives additional security protection around the safety system,” said Day. MILS systems are also being offered by Wind River, Green Hills Software and SYSGO, among others.
The rise in security concerns is occurring at the same time the industry is poised to transition to the latest multi-core processor technology needed to support the “insatiable desire for more and more functionality in (the) aircraft cockpit,” said King.
“It isn’t a question of if, it’s a question of when, these technologies will come into general use on the civil and military platforms,” said King, noting interested companies and standards organizations are getting together to help identify at least at high level the key issues associated with certification.
These advanced processors present “some really interesting challenges at a system … and RTOS level,” said King. For RTOS vendors, “the primary challenge … is what we call bounding and controlling interference patterns on shared resources.” It is, for example, “very common for … multiple cores to share an L2 cache” spurring competition for the use of the mechanism between data from different applications. This can cause “interference patterns where one application can affect the execution time behavior of another application,” King said. “Even on a single core (processor), you’ve got this problem, but in a multi-core environment … the problem is on steroids,” said King.
The key issue here is how to “analyze those interference patterns because for safety mission-critical systems I have to time budget those things,” he said. “If I can’t analyze those interference patterns... I have to assume the absolute worst possible conditions … (which) can quickly turn a multi-core processor effectively into a single core processor or worse,” King said.
The issues surrounding multi-core CPU certification are being addressed slowly, said Day.
“There is capability being built in there, like TrustZone and other trusted architectures, (but) it is still not good enough to make security easy,” said Downing.
“The real opportunity for certification of multi-core systems appears to be more in an assisted Asymmetric Multi-Processing mode (AMP) rather than full Symmetric multi-processing (SMP) model,” Day said. “The civil sector is going to be slower to adopt multi-core systems because of the rigorous FAA certification requirements,” said Day. They “are still trying to specify the most acceptable way to run software on multi-core systems without negatively impacting safety.”
For now many industry officials concede the only effective answer is turning off all but one core, which “is obviously the easiest way to do this … (but) I’m not sure shutting off all but one is the right answer,” said Downing.
The eventual answer for the multi-core CPUs “will be the use of partition systems,” said Dewar. “We continue to see partitioning as an important trend more than half of our embedded business is built around ARINC 653-based systems and (it will) continue with the multi-core systems … helping to ensure one core doesn’t interfere with another core.”
Meanwhile, government and industry are pressing standards efforts to keep up with technology advances and provide for greater efficiency and cost savings, especially in the military market, by accelerating the move toward standard off the shelf products.
While industry is still relying for the most part of DO-178B, interest seems to be growing in DO-178C and its key supplements, said Dewar. “I don’t know when the first avionics DO-178C certification will (occur), but I think we will be seeing steps in that direction by the RTOS vendors in the coming year.”
The standard, which became available to industry at the beginning of last year, “opens a clear pathway to using object oriented techniques in software and … leads in the direction of more use of formal methods, and that is something we will see an increased emphasis on,” especially in the MILS area, said Dewar. In safety-critical programs, “we will see increased use of proof of correctness,” and DO-178C is also “much clearer than DO-178B (concerning) … the procedures needed to qualify tools that are used for safety analysis,” he said.
For now, however, “the existing programs and even new programs are still dictating DO-178B as the certification mechanism, so we have seen no impact of DO-178C as yet,” said Day.
Meanwhile, “the FACE consortium us making great strides, and FACE compliance is becoming a requirement on many of the new programs being proposed now,” said Day.
The FACE Consortium, a government and industry partnership established to define an open avionics environment for military airborne platform types, released the FACE Technical Standard in 2012. The standard created a common computing architecture supporting portable, capability-specific software applications across Department of Defense (DoD) avionics systems. The end result, according to the consortium, will be faster software development time and reduced costs, enabling developers to create and deploy a catalog of applications for use across the entire spectrum of military aviation systems through a common operating environment. The consortium has more than 50 member companies, including LynuxWorks, Objective Interface Systems, DDC-I, Green Hills Software, Wind River, Presagis and others.
“LynuxWorks was first to market with a FACE API on a safety critical OS (LynxOS-178), because the FACE API for an RTOS is based on POSIX … the native interface for LynxOS-178 … it was a relatively simple port with great efficiency,” said Day. “Using open standards such as FACE will help protect legacy systems in the future by allowing interoperability between legacy and modern systems.”
FACE will not just provide “a piece of software that you take; it is going to have all the credentials and all the … evidence that you need to actually achieve certification as well,” Downing said.
“We are starting to build up a structure to actually very quickly use COTS software,” he said. “For me, that is really the key where you can actually reuse software on these different platforms and the certification evidence,” he said, noting that it will be “a big plus” for a product like VxWorks 653.
“We have COTS, a DVD with 70,000 hyperlink files that we sell with that product” so now you can order the DVD and “then push them through certification and reduce the risk quite a bit instead of trying to redo that on each program like we have traditionally.
In March, FACE released Version 2.0 of its Technical Standard. Key additions include the FACE Data Model, Language Run-Times and Component Frameworks, Protocol Mediation Services, Streaming Media Services and expanded definitions of Units of Portability. The consortium said it believes these additions broaden the standard to accommodate other languages and aviation mission requirements, including required capabilities such as streaming video, and will accelerate the rate of adoption. “Edition 2.0 of the FACE Technical Standard sets the framework for innovation in software-centric avionics capabilities, where completed and mature products can move from platform to platform with reduced development and integration effort,“said Dave Nieuwsma, vice president of strategy and business development at Rockwell Collins. “Rockwell Collins looks forward to utilizing this open architecture advancement in the development of next generation capabilities on programs such as the UH-60L.”
With the evolving standards, a much discussed issue is how UAV systems will be handled, especially as the systems begin to be used more and more in civil or noncombatant airspace. Consensus is that at least the larger vehicles will need to be certified just like manned platforms. They will need to go through “proven processes like DO-178B and now 178C for software and DO-154 for hardware,” said Downing. Many of the “platforms are very powerful and can carry a wide range of payloads including weapons, and (they) are now transitioning to the next phase in which they will be integrated into the commercial airspace flying “next to an airliner, so you are going to want the same type of safety and security assurance that you have an airliner,” he said. “I think we are going to want to use UAVs for patrolling borders not only land borders but also our shorelines,” said Downing.
“In the last 10 years, we have had the opportunity to build a lot of aircraft, especially unmanned vehicles at least 10,000 UAVS were built just for U.S. operations,” said Downing. As new missions systems are installed in these platforms, they can be “upgraded … making them safer and more secure now that the immediate urgency of war has lessened a bit,” said Downing. “We can … put in software that is better qualified” and FAA certified.
Next month: Lighting
Avionics Magazine’s Product Focus is a monthly feature that examines some of the latest trends in different market segments of the avionics industry. It does not represent a comprehensive survey of all companies and products in these markets. Avionics Product Focus Editor Ed McKenna can be contacted at firstname.lastname@example.org.
The following are announcements from developers of real-time operating systems.
▶ Northrop Grumman selected the INTEGRITY-178B Time-Variant Unified Multi Processing (tuMP) multicore operating system from Green Hills Software for use in its Gen II Mission Computer for the U.S. Marine Corps UH-1Y and AH-1Z helicopter upgrades. The Northrop Grumman Technical Refresh Mission Computer hosts the INTEGRITY-178B tuMP capabilities using a Freescale QorIQ P4080-based single-board computer.
“The UH-1Y and AH-1Z are highly integrated combat helicopters that require mission computers with significant yet flexible computing capabilities, which can be updated to support specific configurations,” said Ike Song, vice president of Northrop Grumman’s Situational Awareness Systems business unit in Woodland Hills, Calif.
▶ DDC-I in February introduced an ARINC 615 target data loader (TDL) for its Deos safety-critical real-time operating system. The new TDL enables file transfers between ground systems and Deos-based avionics target devices equipped with AFDX, ARINC 429, or TCP/IP interfaces. Deos is a safety-critical embedded RTOS that has been certified to DO-178B DAL A since 1998.
▶ SYSGO was awarded a project to certify its PikeOS operating system and hypervisor within a multi-core platform at the highest level defined by the international safety standard required by the project.
The company said the announcement “opens up a whole new market for modern software design in areas of avionics and railway where there is a drive to run safety critical software on top of the latest multi-core processors.”