This is a big year for commercial off-the-shelf (COTS) real-time operating systems (RTOS). Green Hills Software (GHS), LynuxWorks and Wind River Systems have recently passed or plan shortly to announce DO-178B and ARINC 653 milestones. All three plan eventually to comply with demanding security requirements.
Commercial boards that support real-time operating systems will offer application developers a range of choices. Single-board computer software is being qualified to DO-178B as part of the COTS package. And stripped-down, PC/104 interface boards promise hassle-free data bus interfaces.
Green Hills’ Integrity-178B operating system recently passed a Federal Aviation Administration (FAA) DO-178B, Level A, audit in connection with ACSS’ Traffic and Terrain Collision Avoidance System (T2CAS) avionics package, which combines terrain awareness warning system (TAWS) and traffic alert collision avoidance system (TCAS) capabilities. Integrity-178B also has passed a Level A audit related to the RTOS’ use with the Rockwell Collins avionics management system on the Sikorsky S-92 helicopter (February 2003, page 14).
Integrity-178B is the first commercially available RTOS that is DO-178B, Level A-certifiable and ARINC 653-compliant, according to John Carbone, GHS’ vice president of marketing. The latter standard prescribes an interface, whereby tasks are guaranteed the resources–memory and processor cycles–that they require. ARINC 653 also allows applications with different levels of criticality to coexist on the same hardware.
In March LynuxWorks introduced its LynxOS-178 product, certifiable "out of the box" to DO-178B, Level A. This product commercializes the Virtual Machine Operating System (VMOS) developed by Rockwell Collins for the aviation market. Initial VMOS applications, says Collins, include the AFD-5220 display system for the Bombardier Challenger 300 and Gulfstream G-150 aircraft, as well as the FSU-5010 file server unit to be installed on various unnamed aircraft. The company anticipated FAA approval of the AFD-5220 package in April. VMOS incorporates ARINC 653 requirements, such as time and resource partitioning and health monitoring.
LynuxWorks’ DO-178B solution also includes a complete artifacts package for the kernel and a user library with full DO-178B traceability. The company planned soon to release the first COTS-certifiable TCP/IP stack–developed by Collins for intersystem communications. The software company also is porting the operating system to a COTS development board, the VMPC 6, produced by Thales Computers.
Wind River Systems, whose RTOS is used in many military systems, is working on an ARINC 653-compliant version of VxWorks, AE653. The software will be used in the C-130 avionics modernization program (AMP) and the Boeing 767 tanker program, says Steve Blackman, director of market development. The Wind River offering, expected in the second quarter, is dubbed a "platform for safety critical systems," including not only the RTOS, but board support software, libraries and tools. The company’s existing DO-178B-certifiable operating system passed a Level B audit last year as part of the U.S. wide area augmentation system (WAAS). Wind River is going through a Level A certification review with European authorities as part of two Eurocopter projects.
Evaluation Assurance Level
All three firms, meanwhile, are striving to bulletproof their products to achieve U.S. National Security Agency (NSA) evaluation assurance level (EAL) certification. Green Hills, for example, is involved in six programs requiring EAL certification: F-22, Joint Strike Fighter (JSF), unmanned combat air vehicle (UCAV), Joint Tactical Radio System (JTRS), Future Combat Systems (FCS), and C-17 Globemaster III.
There are seven levels of EAL security, the topmost of which, EAL-7, is required by aircraft such as the JSF. Compliance at the higher levels has to be mathematically proven, rather than merely tested, as with DO-178B. EAL is similar to ARINC 653, says Carbone. It involves "secure partitioning of functions and information within a system, so that one function cannot intentionally or unintentionally interfere with the operation of another function and information cannot be accessed by unauthorized programs." There is software partitioning with enforcement in hardware through the microprocessor’s memory management unit. GHS claims that Integrity was designed from the start, with EAL in mind.
LynuxWorks says it’s collaborating with Rockwell Collins, Lockheed Martin and NSA to "modularize" its RTOS kernel to meet EAL requirements. This assures that programs running on a central processing unit (CPU) can’t access each other’s data, explains Greg Rose, LynuxWorks’ director of product management. "When you switch between partitions, you make sure there are no covert channels, that registers [areas of memory] were cleared."
At the high end of RTOS support, Dy 4 Systems is working with RTOS developer Wind River Systems to qualify board-level software components to DO-178B, Level B. This is the first time that certifiable, low-level board software–foundation firmware and the board support package–will be provided for a COTS single-board computer, claims Duncan Young, Dy 4’s director of marketing. The internally funded Dy 4 project should yield initial products by September and a full documentation package early next year.
The Canadian company sees a demand for boards with DO-178B-certifiable, low-level software, Young says. In Europe there is growing interest from a product liability standpoint, he adds. "The market is changing, demanding a level of certifiability that hasn’t been there before."
One factor driving interest is the trend toward integrated modular avionics (IMA) architectures in the military market, Young says. If the mission computer is interfaced with commercial com/nav equipment, for example–sharing data with those safety critical systems–mission computer software components would need to be certified to a similarly rigorous standard.
Dy 4 is preparing its PowerPC-based SVME/DMV-181 single-board computer for customers choosing Wind River’s forthcoming VxWorks AE653 RTOS. "For a complete [DO-178B] certified system, all software has to be certified," explains Young. That includes foundation firmware that initializes and tests board devices, as well as board support software. If customers need Level A, the company would do the necessary work. All the documentation is in place although a significant amount of additional testing would be required, he says.
UK-based Radstone Technology, meanwhile, has formalized a partnership with Green Hills Software to provide the Integrity operating system on Radstone’s single-board computers. The RTOS is available on Radstone’s PowerXtreme family, including boards such as the PowerPC PPC7A and the PPC4A. The PPC4A, with Integrity-178B, is part of an application being certified to DO-178B, Level A, by a European customer. Typically, certification issues concerning board-level software are handled for Radstone at the original equipment manufacturer (OEM) level.
At the other end of the spectrum are Ballard Technology’s stripped-down PC/104 boards, which allow customers to simplify the DO-178B certification process. This is a new approach for Ballard, known for its high-end data bus test hardware.
Ballard’s PC/104 boards–the PM429-1 and the PM1553-1–can be used as an avionics data bus interface in embedded aircraft systems, where the performance requirement is small, compared with data bus test or simulation. This simple, low-cost, hardware-based approach "minimizes the DO-178B headache, as only the operating system and the application need to be certified," says Kevin Christian, Ballard’s customer services manager. There is no need for drivers, firmware or random access memory (RAM) gate array files, he says. The cards can be run from any operating system.
Developers of code that will be certified to DO-178B use software tools to analyze and verify that code is tested and performs according to design requirements. Certification is more demanding at higher levels of the spec. At Level A, for example, it is necessary to test that all lines of code have been executed, all decisions have been run, and every variable of every decision has been run.
Metrowerks’ CodeTEST package supports Levels A, B and C coverage, as well as software analysis functions such as memory analysis, software execution trace and performance profiling, the company says. It recently announced version 4 of CodeTEST, supporting faster processors.
Metrowerks sets itself apart from the crowd by offering hardware-based data acquisition probes, says Spencer Brown, product marketing manager. Connected to the data bus of a customer application development board, the hardware provides a more accurate and less intrusive approach than software-only data collection. With a software-only approach, "you get a less accurate picture of how the system performs," he says.