Despite driving key technologies in systems ranging from pacemakers to fighter aircraft, embedded software has not received nearly the recognition of high-profile enterprise applications. The embedded market “is not as big as the enterprise software world and not as public, so to speak,” observed Joe Wlad, director of certification, services and marketing with LynuxWorks, of San Jose, Calif.
Indeed, embedded systems interact not with users, like enterprise applications, but with the systems they are built into. And it doesn’t help that any discussion of these systems can become complicated very fast.
Complexity aside, embedded code is helping to fuel the digital transformation of civil and military aircraft, spurred on by technology advances, growing system requirements and the increased use of commercial-off-the-shelf (COTS) systems. Developers are using embedded systems not only to address specific technology needs but also stiff challenges triggered by growing technology complexity and safety and security requirements.
The embedded market may not be as big as the enterprise business, but it is by no means small. More than 4 billion embedded systems or devices were shipped worldwide in 2006, about a 13 percent year-over-year increase, said Matt Volckmann, program manager with the embedded software practice at VDC Research Group, Natick, Mass.
The software used to run those systems is also growing as “the average embedded system/device continues to require greater amounts of software to serve the requirements of both suppliers and end users,” he said.
In a survey conducted this year, VDC found the “average embedded military/aerospace project expected an increase of 28.5 percent in the total lines of code over their next project,” Volckmann said. That tally exceeds the 22 percent average increase for the overall embedded market.
On aircraft, the use of embedded software has “grown exponentially” over the last 20 years as “analog systems have morphed into digital systems,” Wlad said.
The operational flight program of the F-35 Lighting II, or Joint Strike Fighter, for example, will have at least 5 million lines of software code. That is more than twice the total of the F-22 Raptor and four times that of the F/A-18E/F, according to a Government Accountability Office (GAO) report in March.
“As the cockpits get more sophisticated, as displays get more sophisticated, as everything is more digitally controlled, there’s more and more software,” said David Kleidermacher, chief technology officer with Green Hills Software, Santa Barbara, Calif. “One thing we always say to people is that it is possible to build absolutely reliable software that’s very complicated. … [But] it needs to be right. They need to be able to depend on an operating environment they can trust. Having a commercial-off-the-shelf solution that’s proven for so long and has been flying on so many other aircraft, allows them to meet that goal quicker.”
The Panoramic Cockpit Display of the F-35, provided by L-3 Display Systems, Alpharetta, Ga., uses both the Green Hills Software Integrity-178B and the LynuxWorks LynxOS-178 Real-Time Operating Systems (RTOS), L-3 said.
Green Hills also is providing software support to lead JSF contractor Lockheed Martin and other firms with the Integrity RTOS and software development tools, Kleidermacher said. Integrity is “all over that plane,” he said. “As far as we know, it’s on every computer that has a PowerPC. The PowerPC is the only application-level processor on the plane.”
Interestingly, the F-35 has about 22.9 million lines of software code overall, a piker next to the U.S. Army’s Future Combat System, which rings in at 95.1 million lines, according to GAO.
Compared to other systems, avionics lacks sufficient resources, “things like throughput and network bandwidth” to support that much software, said Tim Budden, president of Esterline Avista, a company that has worked on efforts to upgrade legacy platforms using embedded software.
The software also is being built into legacy platforms. Esterline Avista, Platteville, Wis., is assisting in technology upgrades for the Joint Cargo Aircraft and KC-135 Stratotanker. In addition, “we did the (software) verification for quite a bit of the flight management system” in the C-130 Avionics Modernization Program (AMP), Budden said.
Wind River Systems, Alameda, Calif., worked with GE, AdaCore and Verocel to develop the Software Common Operating Environment used in the C-130 AMP.
On the civilian side, the situation is not much different — the Boeing 787 has more than 8 million lines of code, or about four times the total in the 777. The code, which has increased during the aircraft development effort, “determines everything from how information is shared between systems to how the pilot’s commands are translated into action; from how humid the air is to when the coffee is done,” according to Boeing.
“I think there are over 70 applications from 15 different vendors running on” the 787’s Common Core computer, said Chip Downing, Wind River Systems senior marketing manager for aerospace and defense.
GE Aviation is using the Wind River VxWorks 653 RTOS for the 787’s Common Core System. Among other suppliers, Honeywell is using the Green Hills Integrity-178B for flight-control electronics, including the autopilot and fly-by-wire system; Rockwell Collins is using Integrity for the Configurable Integrated Surveillance System; and Vibro-Meter for the engine vibration and health and usage monitoring system. Hamilton Sundstrand, providing 787 electric and environmental control systems, has chosen TTTech Computertechnik AG of Austria to support the development of a Time-Triggered Protocol (TTP)-based data communication platform.
The growth of embedded software and systems on aircraft is being fueled by a mix of technology advances, system requirements and policy developments.
“We can do a lot more,” said Downing. Smaller microprocessors are being replaced by “what I call ‘common processors’ that can do a lot, but a lot of the capability has to be harvested by software,” he said. “The hardware underneath [this software] is also growing by leaps and bounds. Moore’s law is working on both sides.”
COTS products also have been a major “enabler” of the growth in computing resources on military aircraft, observed Budden.
Many of the new platforms, such as the U.S. Navy’s X-47B Unmanned Aerial Combat System (UCAS), are using almost all COTS software and hardware, said Downing. Under development by a team led by Northrop Grumman, the UAV will use a common core operating system provided by GE Aviation that is similar to that deployed on the 787 with COTS boards and VxWorks 653.
The military’s traditional resistance to COTS has been waning for more than a decade, said industry officials. Still, “there are always people who say ‘no, no, the only way to be secure is to build this in-house,’” said Nauman Arshad, senior technical product marketing manager with Curtiss-Wright Controls Embedded Computing. However, that inclination is being overridden by the increased efforts of COTS vendors to address safety and security certification concerns, he said.
In addition, “a full mil-spec insert product such as a display or computer,” would be very expensive and difficult to get since “a lot of the chip makers have gotten out of the mil-spec business,” said Mark Brideau, director, Platform Systems Integration, with GE Aviation.
A piece of COTS software, like an Ethernet stack, can still open a military application to potential vulnerability, said Budden. The software often must be “reengineered” to remove the vulnerable elements, and “you may have to do more rigorous testing than has been done before.”
“We have a group called Modified COTS that will selectively remove the dormant or unneeded code,” said Mike MacPherson, director of business development at Curtiss-Wright. This process reduces the software footprint and streamlines the certification process, eliminating the necessity to test code that will never be used.
Curtiss-Wright offers a number of software products, including “COTS Continuum” and “Continuing Insights,” aimed at easing the complexity of software development and integration as well as management, Arshad said.
Open source systems have to be handled even more carefully than the typical commercial products. “Open source means a lot of things,” said Robert Dewar, president and CEO of AdaCore, based in New York City. AdaCore’s GNAT Pro Ada 95 compiler and development environment plays a key role on aircraft including the 787, C-130 AMP and KC-767 tanker. A compiler translates high-level source code to binary components suitable for execution by the operating system.
“We tend to emphasize the free licensing,” Dewar said. “It is a real plus for our customers — they don’t have to mess with license keys or worry about what machines the technology goes on.”
However, open source can also “mean the stuff you grab off the Internet. It doesn’t cost anything but who knows what its legal or ethical status is,” he added. This kind of “unsupported junk” can’t be plugged into a mission critical environment. “We have a fiercely controlled development process,” Dewar said.
Wind River Systems provides absolute “traceability” of Linux code back to its source, and “for a critical piece of code, we can go in and review that code,” Downing explained. “You just can’t do that with normal code you get off the Internet.”
However, the growth of technologies on aircraft is bumping up against limits of the computing platforms, spurring stiff safety and security challenges. “Trying to fit in everything that is required is a significant challenge,” said Brideau.
If the growth in software code was plotted on a graph, the trajectory over the past 15 years would be “straight up,” said Kleidermacher. Unlike many systems, however, “an airplane is constrained by space and power, and the number of processors and wires has to hit a limit. They are not going to make the JSF twice as big,” he observed.
The growth in software code makes the DO-178B certification process more difficult, said Arshad. “Typically, when you want to build a safe system the less code the better,” he said.
Long a FAA standard for commercial aircraft, DO-178B has “always been kind of an ad hoc standard” for military aircraft, said Dewar. It includes five levels of design assurance ranging from A to E, with A being the most stringent and designed for systems whose failure would cause “catastrophic” results on the aircraft. The solution has been to consolidate systems using ARINC 653 approved software programs, offered by a number of vendors to allow multiple applications to run in dedicated/virtualized memory partitions on one piece of silicon, said Downing.
Safety and Security
This raises “huge safety and security” issues, Downing added. Before there were standalone boxes certified to a particular design critical level, and “now systems with different safety levels are being (placed) on one piece of silicon.”
Level A mission-critical systems are vulnerable to contamination or corruption from systems with much lower assurance levels. A system controlling the yaw damper, said Wlad, could share space on a processor with a coffee maker.
The traditional response would be to test all the software to Level A “but that can be very, very expensive and time consuming,” said Downing. In addition, “if you change one line of code on the platform you have to retest the entire platform.”
Instead, RTOS vendors are providing Multiple Independent Levels of Security (MILS) architectures that safely partition a processor according ARINC 653 specifications to support systems with different levels of design assurance, including Level A. Today, these systems are enabling the people building the Joint Strike Fighter and the 787 to consolidate separate systems on a single computer, said Kleidermacher.
“Because we can separate levels of criticality, you can have a flight-control application at Level A that goes through this $1,000-a-line kind of rigor, but you can still actually combine processors and have a different level of criticality on the same computer,” Kleidermacher said. “That other application that is not flight-critical can go through a lower level of rigor and therefore get deployed and get completed faster.”
Kleidermacher said Green Hills was the first supplier to achieve commercial Level A certification for a RTOS supporting MILS in 2002, on the flight computer of the Sikorsky S-92 helicopter.
Embedded software developers are toiling to design similar systems to meet growing security requirements. The key goal in security is to achieve the upper Evaluation Assurance Levels (EAL) of the Common Criteria for Information Technology Security Evaluation. RTOS vendors are targeting levels 6 to 7.
Green Hills Software was anticipating imminent certification of its Integrity-178B RTOS to EAL6+, which would make Integrity the first operating system to pass that test. Integrity was accepted for evaluation by the U.S. government’s National Information Assurance Partnership, a collaboration of the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA), in 2005.
“We’re in the final stages of certification to EAL6+,” Kleidermacher said in a September interview. “That’s really going to be Earth shattering in the industry because it will be the first time that an operating system has achieved that high a level of assurance, which enables a whole slew of applications that typically can’t be done today. … The separation kernel protection profile we’re being evaluated against is the only high-robustness security standard in the world and we’re the only ones who will have it, and we’re the only ones who even started it. We started it three years ago.”
Said Stephen Balacco, director of the embedded software practice at VDC Research Group, “It is not a trivial process. It takes quite an investment in time and resources, and even to get into the (evaluation) process a company needs a government sponsor.”
Net-Centric Operations Drive Need For Security
The military’s migration to Net-Centric Operations (NCO) is raising the ante on the complexity and security of embedded technology on aircraft.
Net-centric operations are “a significant driver” of complexity on aircraft and other military platforms, said Mark Brideau, GE Aviation director of platform systems integration. In basic terms, the NCO concept “is increasing the number of network nodes that need to be supported” and configured.
The NCO concept also is pushing the military toward standard communications protocols, such as Internet Protocol (IP) or more specifically, next-generation IPv6, to support communications with different nodes, said Nauman Arshad, Curtiss-Wright senior technical product marketing manager. This change introduces greater complexity and more software code, especially as IP-type networks replace older legacy systems like the Mil-Std-1553 databus that provide point-to-point links.
With the move from closed to more open networks, the security risk increases, requiring more information assurance “because security needs to be ubiquitous,” said Arshad. Today’s systems are fending off increasingly sophisticated threats, and security capabilities are “becoming a weapon” in which the strength of a cryptology engine may avail a critical advantage.
Platforms also are adding software to address key practical challenges. Tanker type transports, for instance, “have to be able to manage both the military and civil data simultaneously,” said Brideau. “That requires additional processing” to ensure they are not sending military data on a civil link.
The challenge expands beyond manned aircraft to remotely operated UAVs that carry sensitive information and are or will be plugged into the Global Information Grid, said David Kleidermacher, chief technology officer with Green Hills Software.
The GIG is not the Internet but there are still “ways for people to potentially try to hack into it, the same way they do with critical infrastructure on power grids right now,” Kleidermacher said. —Ed McKenna