Real-time operating systems (RTOS) are the foundation software for computing systems. They manage the computers' other software programs and orchestrate these programs' requests for services. And they must be robust enough to deal with unexpected events without causing an aircraft to lose a flight critical function.
In the past, many aerospace companies developed their own, proprietary operating systems and software tools, which were optimized for specific functions. Honeywell, for example, created the digital "engine" operating system (DEOS) and Rockwell Collins, the virtual machine operating system (VMOS), which it engineered from an earlier LynuxWorks product in the late 1990s. Collins licensed the changes back to LynuxWorks in the 2002-2003 time frame, and LynuxWorks now offers the new version of the software as LynxOS-178.
Collins and LynuxWorks now are partnering to achieve acceptance of the LynxOS-178 kernel and POSIX application programming interface (API) as a reusable software component (RSC) under the guidelines described in advisory circular 20-148, issued by FAA in December 2004. Among other things, the new approach will allow FAA to accept third-party utility software, even though the software is only a part of a larger application, such as a flight management system (FMS) or a flight control system. The third-party RSC developer has to partner with an avionics system developer as part of a technical standard order (TSO), type certificate (TC) or supplemental type certificate (STC) project, but the RSC developer controls the distribution of the RSC approval letter.
The key benefit of the new procedures is that other integrators then can reuse the RSC. The integrators are able to take credit for DO-178B objectives that already have been fully met without having to submit that life-cycle data to FAA for review. Subsequent users don't even have to see the original proprietary data relating to objectives that have been fully satisfied, a factor which should encourage reuse.
LynuxWorks recently submitted its data package to its own and Collins' designated engineering representatives (DERs). The RTOS company hopes to complete the process by this August. LynuxWorks' LynxOS-178, version 2.0, is thought to be the first RTOS to have entered the RSC pipeline.
Wind River Systems describes a technology approach to RTOS reuse for some military customers. They will be able to move applications between various "platforms," which contain an operating system, development environment and other software. They can move between the "general purpose platform" and the "platform for safety critical" as soon as the latter software platform adopts the development environment used in the general purpose package. This is scheduled to occur later this year.
Today avionics manufacturers still use homegrown RTOS and stripped-down, single-purpose operating systems known as runtime executives. But they are becoming more comfortable with third-party, commercial off-the-shelf (COTS) products, as well.
Recent aircraft provide striking evidence of this trend. The Boeing 787 Dreamliner will use COTS operating systems by Green Hills Software and Wind River Systems in core avionics systems.
Smiths Aerospace chose Wind River Systems' VxWorks 653 RTOS for the B787's common core system (CCS), a cabinet that will host 80 to 100 applications, including Honeywell's FMS and health management software and Collins' crew alerting and display management software. Multiple utility management applications relating to landing gear, electrical power, hydraulics, environmental control and even "lavs and galleys" management also are hosted on the CCS, according to Mike Madden, Smiths' program director for B787 common core system. (CCS also includes the common data network and remote data concentrators.)
The Wind River RTOS is part of the CCS infrastructure software, which also includes the Smiths common operating environment and a certified configuration management tool set. Smiths is integrating the "architecture and configuration tool set," which incorporates software from Smiths, Wind River and Rockwell Collins.
Boeing feels that this approach will reduce the "cost of change" for the life of the airplane, Madden says. When Boeing adds new features down the road, it can use the automated tools to update the configuration, so that the additional work required for approval will be much smaller. "You can prove through the certified tools that you haven't affected the already installed, certified and deployed functions by adding new functions."
Smiths also plans to use the RTOS on the B767 global tanker transport aircraft's avionics flight management computer, a traditional line replaceable unit with VMEbus cards. The FMS software and the related operating environment will be part of an STC, the RTOS' first FAA, DO-178B acceptance. The operating environment, including the RTOS, will be certified to DO-178B, Level B, but the artifacts "will be developed to Level A for use on future applications," says John Armendarez, Smiths' director of military air transport programs.
Smiths also is using VxWorks 653 and the common operating environment--with different I/O drivers--on the mission display processor for the C-130 avionics modernization program (AMP). The requirement for a secure operating system on the C-130 AMP, however, is being revisited and may be eliminated as a result of additional analysis of system-level security requirements.
Green Hills' Integrity-178B is present on the Dreamliner, as well. Honeywell chose the RTOS for the B787's fly-by-wire flight control electronics. Integrity-178B is to run in the B787's flight control modules, which are distributed among the four flight control electronic cabinets the integrator will supply each 787. Outputs from the software in these flight control modules drive Honeywell actuator control electronics units, which in turn communicate with the actuators that move the control surfaces.
Honeywell chose Green Hills because it provides a DO-178B, Level A, certified time and space partitioned operating system with a tightly coupled development environment, says Don Morrow, Honeywell's director of Boeing business development. Both Green Hills and Wind River have effectively been "certified," Morrow says. "They already have convinced FAA that they have systems which are compliant with ARINC 653." This standard concerns RTOS "partitioning," the services the RTOS supplies to enable the running of multiple applications on the same processing resources.
Honeywell is particularly interested in commercially available tools, such as compilers, linkers and debuggers. The company had to create the operating system and tools for its highly integrated airplane information management system (AIMS) on the B777. "It costs a lot of money, and it's not our core business," Morrow says
Collins likewise chose Integrity-178B and Green Hills' Multi tool suite in connection with work on the "traffic module" of its integrated surveillance system (ISS) on the B787. The traffic module includes the transponder and traffic alert collision avoidance system (TCAS). The ISS also includes separate resources for processing the weather radar, the Honeywell terrain awareness warning system (TAWS) and input/output data.
Honeywell and Collins have not gotten out of the operating system business completely. Honeywell uses DEOS in the Primus Epic integrated avionics suite and in the flight control system of the Embraer 170 and 190 regional jets. And Collins uses VMOS on business jets like the Challenger 300. Like many other aerospace companies, Collins also develops stripped-down runtime executives for control panels, radios and sensor devices used within the company. This software doesn't know how to deal with accessing file systems or creating processes, explains Nick Bloom, Collins' principal engineering manager for architectures.
In a simple control panel, the runtime executive would monitor the knobs and buttons to provide the right outputs for given inputs. A multiprocessor avionics system, however, might use a runtime executive, as well as a full-fledged RTOS, Bloom says.
Collins' weather radar and elements of the display system on the B787 likewise run in-house runtime executives. The same is true of the switches Collins provides for the Dreamliner's ARINC 664 common data network.
Barco, a graphics systems developer, has created middleware that wraps the operating system and makes it easier for application programmers to use the company's boards.
Barco's ARINC 653-compliant Modular Open System Architecture (MOSArt) package includes input/output drivers, a subset of OpenGL graphics routines, and application programming interfaces (APIs). MOSArt supports Green Hills Software's Integrity-178B and Wind River Systems' VxWorks 653. "We wrap the operating system in our product," says Dave Simpson, software business development manager with Barco's Avionics Division. "A lot of people are just using COTS [commercial off-the-shelf] operating systems and board support packages, but they have to plug together a lot of different pieces of software," he says. "We wanted to take away that work and make our hardware open and accessible for people to develop on." The package is designed to be certifiable to DO-178B, Level A, he asserts.
ARINC Inc. www.arinc.com
BAE Systems www.baesystems.com
Ballard Technology www.ballardtech.com
Condor Engineering www.condoreng.com
Curtiss-Wright Controls Embedded Computing www.cwcembedded.com
Ensco Inc www.ensco.com
Green Hills Software www.ghs.com
Mentor Graphics www.mentor.com
MontaVista Software www.mvista.com
Objective Interface Systems www.ois.com
OSE Systems Inc. www.ose.com
QNX Software Systems www.qnx.com
Radstone Technology www.radstone.com
Rockwell Collins www.rockwellcollins.com
SBS Technologies www.sbs.com
Thales Computers www.thalescomputers.com
Wind River Systems www.windriver.com