-T / T / +T | Comment(s)

Monday, April 7, 2014

Real Time Operating Systems Addressing the Certification, Security and Standards Dilemmas

By Ed McKenna

Companies providing Real Time Operating Systems (RTOS) for the avionics industry face tough challenges as they confront demand for both higher functionality and higher safety requirements. At the center of this dilemma is the effort to certify safety critical systems for multi-core Central Processing Units (CPUs) already on next generation aircraft. Vendors are also addressing security concerns and creating new craft standards to boost the development of more flexible RTOS solutions. 


For most technology providers, addressing the safety certification challenges posed by multi-core systems is issue number one, the primary driver being an “insatiable need for additional functionality in a … SWaP [Size, Weight and Power] constrained environment,” according to Tim King, technical marketing manager at Phoenix, Ariz.-based DDC-I.


There is only so much space on an aircraft to put the computers, he says, and multi-core processors maximize additional computing power while using less square footage and power.


General consensus yields that certifications for the multi-core systems to the highest DO-178B/C or ED-12B/C Design Assurance Levels (DALs) are underway, but how long those certifications will take is a matter of debate. “We are on the verge,” says Chip Downing, senior director of aerospace and defense at Alameda, Calif.-based Wind River. “There may actually be some certifications this year; most likely it will be next year. I think as an industry we have now figured out what it takes to make this happen.” In its next RTOS product, Vxworks 7, the company claims it will release a better solution for multi-core. But others are less bullish.


“There are still some marked differences of opinions on the right architecture to support multi-core systems,” says Robert Day, vice president of marketing at San Jose, Calif.-based LynuxWorks. “Progress is being made, but somewhat slowly.”


With its LynxOS RTOS offerings, LynuxWorks is one of several companies, including DDC-I, Wind River, Sysgo and Express Logics, that offer solutions in the competitive avionics market space. Though these companies differ on when, they agree that multi-core systems will develop sufficiently to at least satisfy market demand. 


“You can’t really say you are not going to certify multi-core systems when that is the way all hardware is running,” says Robert Dewar, co-founder, president and CEO of New York-based AdaCore, provider of critical ADA-based software tools used by RTOS companies including Wind River and Sysgo.


But the aviation industry is not just looking for more power and less energy use. The real need is something that Jacques Brygier, vice president of marketing at Klein-Winternheim, Germany-based Sysgo, describes as “safe, deterministic and predictable.”


It is sometimes difficult to maintain predictability for software systems, Brygier says, “when you have multi-core [processors] running together.” To date, this issue has been resolved by closing all but one core system, which is how Sysgo’s PikeOS, for example, addresses its application on the Airbus A350.


However, Sysgo is making headway in its efforts to tame the multi-core environment when, late last year, it became the first to certify an RTOS and hypervisor within a multi-core platform to the EN 50128 SIL 4 standard, the highest possible safety level, according to Brygier.


That standard applies to railway applications, but with the experience gained from that certification, “we feel confident that we can achieve certification of DAL C” for avionics, says Brygier. To certify to DAL B or A, however, Sysgo will need two to three more years.


For the Federal Aviation Authority (FAA) and the European Aviation Safety Agency (EASA), a key concern centers on the potential for interference between systems operating on shared resources, such as a cache. Last year, DDC-I conducted tests that illustrated this issue and provided a technology fix. Specifically, the new technology, “cache partitioning,” is designed to minimize “resource contention between different partitions,” says Greg Rose, the company’s vice president of marketing and product management.


Contention for shared resources and interference patterns can take place between applications and can occur even on a single core processor. But on a multi-core processor, the interference is amplified considerably, says King. The challenge is to merge and control all of those interference patterns.


Cockpit of a Entegara-equipped Cirrus aircraft that includes the DFC90  Attitude-Based Digital Autopilot, which uses the ThreadX RTOS and a schematic of the Sysgo’s PikeOs. Courtesy of Express Logic.
In the tests, which used a single core Central Processing Unit (CPU) for a benchmark, the company found that leaving a cache on creates more interference scenarios than when left off; however, with the cache off, operations are still significantly degraded. The company’s cache partitioning solution, now a standard part of the Deos, allows the developer to segment a shared cache into different areas dedicated to one or more applications, preventing their interference. The tests were conducted on a single core CPU, but if run on multi-core the issues are worse; “you could turn a quad core processor into a quarter core processor really quickly,” King says. The tests not only showed the technology helps you boost utilization rates but also allows you to identify potential interference patterns between the different pieces of software on different cores.


Beyond these initiatives, opinion remains divided when it comes to fundamental approaches. “Many believe that using an SMP (Symmetric Multi-Processing) model operating system is the best way … generally because many of the RTOS support SMP and this would seem like an easy path,” says Day. 


However, some people closer to the FAA still maintain that an AMP (Asymmetric Multi Processing) mode solution with multiple versions of the operating system running on the multiple cores is a safer path to successful safety certifications.”


Even as they address multi-core certification, the companies are beginning to transition to the DO-178C/ED-12C standard. “It is not that drastic a change and [as] new programs come up they will probably have DO-178C requirements,” says Downey. “I think there is a buffer of three years you can make a choice (to use the older D0-178B or C).”


The new regulation includes clearer rules about what is needed to qualify tools that are used for certification process, says Dewar. “You’ll see tools [become] mainstream over time … as software gets larger you are going to have to have a tool to help you achieve that certification,” says Downey.


The regulation also “tackles object-oriented technology [and] … is much more amenable to the use of formal methods [coding],” says Dewar. There has been more interest in formal methods for several reasons including improved hardware performance and technology correctness, he adds.


Working with Altran Praxis, AdaCore is set to introduce Spark 2014 ADA programming language, which addresses the “area of combining testing and proofs” that will, unlike the previous edition of Spark, allow developers to “take a legacy application and program new pieces of it using a more formal approach to prove correctness.”  


There is one caveat. On paper, DO-178C seems to spell out a number of possibilities for making use of formal coding methods, “but if you don’t get a sign off from your Designated Engineering Representative (DER) or they want you to do other stuff, you are kind of stuck,” says Dud Smith, senior consultant to AdaCore and founder of Smiths Aerospace, now GE Aerospace. There are still issues to work out, he says. Smith believes C will mature as use continues and it grows in popularity.


As far as actual certification is concerned, the main question is “how much time, money and skilled resources can be applied,” says John Carbone, vice president of marketing for San Diego, Calif-based Express Logic. “Some RTOS require less of each of these resources, due to their small code size, or prior testing and development processes … the effort to provide the document and test sets required to demonstrate compliance with DO-178C generally will be significantly greater than the original software effort,” he says.


“However, it is a one-time investment, and portions may likely be completed as part of the development of the RTOS itself,” says Carbone, adding that usually the “bulk of the value of ThreadX is contained in its [Application Programming Interfaces] and kernel services.” Among ThreadX users is Avidyne, which uses it for the DFC90 Attitude-Based Digital Autopilot.


Those developers that opt to use Express Logics ThreadX RTOS can shortcut the process by licensing the Certification Pack from Express Logic, which gives them the artifacts related to ThreadX, while saving them time, money and reducing risk.


Along with addressing safety, the industry is also developing new Multiple Independent Levels of Security (MILS) programs to fend off growing security concerns. While there used to be some “debate about whether we really had to worry about security … today people are saying you must build that into the system,” says Downey. For its part, Wind River introduced the latest VxWorks MILS Platform last year with multi-core features built in.


The increased vigilance is being triggered by the arrival of consumer electronic products on aircraft as passengers now use iPads or tablet applications to control lights and entertainment; it is critical, in such a situation, to guarantee isolation and that critical and non-critical systems do not overlap, Brygier says. These tablets are also being used as Electronic Flight Bags (EFBs) on the flight deck but, since they aren’t kept in the mission critical part of the aircraft, the safety/security risk is lower.


Sysgo and LynuxWorks are participating in European Union funded projects — EURO-MILS AND D-MILS — aimed at boosting security. SYSGO is providing the foundation of EURO-MILS with its PikeOS initiative, which includes contributions from Airbus, Thales, JEMM Research and academic institutions. The goal of the three-year research project started in 2012 is to produce a “MILS compliant software platform” that is trustworthy and “can be used in different industry domains,” says Brygier. 


The participants have developed two standards: one for automotive and the other avionics, says Brygier, adding the effort to craft a platform that can be applied across domains has been challenging, especially for the hardware companies.


“Of course, every sector has its own requirements, but if you focus on the core technology and then you address what is specific (to a domain) on top of it, like we do with our partition type of environment, you can run an ARINC 653 API or POSIX and next to it … Linux, or, if you are addressing automotive, Autosar.”    


Separately, Sysgo is introducing new ways to work with hardware virtualization features while retaining the safety and security benefit of PikeOS. LynuxWorks is providing and extending the LynxSecure separation kernel hypervisor as a foundational security/safety technology for D-MILS in an effort “to extend the MILS architectural approach to support distributed real-time communication systems for aerospace, transportation, communications and other industries,” he says. Other contributors include Frequentis, Fortiss and TTTech.


“The consortium is developing a scalable architecture that automates the verification of critical distributed systems in a predictable, dependable and fully certifiable way for complex critical applications,” Day says. “This is key for the aircraft industry as it combines safety and security measures for communication between critical systems — both airborne and ground-based — and it will make it possible to automate and substantially lower the certification costs for complex critical applications that operate across multiple systems.”


Meanwhile, in the United States, the Future Airborne Capability Environment (FACE) consortium, which includes a who’s who of aerospace and information technology community, is pressing forward with its plans to assert a measure of commonality in the military market. 


“We are going through this review process of around 10 documents [allowing users] to not only build up a FACE conformal system but also have a whole conformance program where you can actually submit software to be tested and listed as conformant,” says Downey.


“We have seen a lot of progress over the last year to help drive the adoption of FACE,” says Day. “More DoD programs are specifying FACE as a requirement …more members have joined the [consortium]. … Some commercial aviation operations have started to show real interest in using FACE compliant products.”


 “We fully embrace it,” says Rose.  “The government will be able to get equivalent technology products for less money.” It will also make strides in breaking vendor lock, he says, and open up the market for companies like DDC-I to compete.  “It is at a stage where it is just about ready to go primetime,” says Smith. “We are now in the early stages of trying to get sign-off on the design and the initial implementation, [which] means looking at the fine print.” 


Contractual and legal issues, however, remain under contention, and some companies, says Smith, “are kind of resisting legal and contractual issues of engaging with the open source and the whole FACE consortium.”

Live chat by BoldChat