Real-time operating systems and related software are stealing the spotlight in mil-aero electronics development, taking center stage in myriad applications.
BY Courtney E. Howard
Not long ago, the operating system-enabling technology that not only adds value to hardware platforms, but also hosts myriad software programs-was taken for granted. It was an afterthought among a wealth of hardware and software tools. The real-time operating system (RTOS) is of paramount importance to today's military and aerospace electronics designs, which rely on the RTOS to execute application-specific tasks reliably, consistently, and predictably.
An operating system (OS) provides a toolbox to help software developers construct their application, explains Tim King, technical marketing manager at DDC-I Inc. in Phoenix. The richer the feature set, the better the application software, he explains.
"Mil-aero systems require more and more functionality, often found in traditional desktop operating systems, rather than traditional real-time operating systems, including graphical user interfaces (GUIs) and graphics, advanced networking, and disk and SSD storage," explains Robert Day, vice president of marketing at LynuxWorks Inc. in San Jose, Calif.
Pedigree, likewise, is essential, Day continues. Software engineers should ask: What programs have used the RTOS before? What was the success of the programs? What is the maturity and code base of the RTOS?
Reliability-proven through a large number of field deployments-is an important consideration, says John Carbone, vice president of marketing at Express Logic Inc. in San Diego. "It demonstrates the RTOS's ability to handle various requirements reliably, reducing risk."
Proven success in meeting project schedules is another consideration, Carbone says. "Studies [show] the benefits of some RTOSs over others with regard to project completion on-time or ahead of schedule. Many times, additional services or features are required, which involves a closer working relationship and trust with the RTOS provider," he adds.
Security is a major factor for many new government programs, Day observes. "Security of network, security of information and data, and access controls and secure logins are now often specified as part of the functionality of the RTOS and itsassociated stacks. Separation kernels, partitioned operating systems, and secure operating systems are now being mandated for programs."
"We have seen an evolution from federated architectures (singleapplication, operating system, and hardware) to Integrated Modular Avionics (IMA) architectures (multiple applications, single CPU, and a time/space-partitioned operating system)in the past 10 years," admits Joe Wlad, senior director for aerospace and defense at Wind River, a wholly owned subsidiary of Intel Corp. in Alameda, Calif. Wind River's VxWorks 653 is an IMA-based operating system being adopted for military systems and commercial aircraft.
|The U.S. Navy/Northrop Grumman X-47B unmanned aircraft combines Navy, Northrop Grumman, and Wind River RTOS technologies.|
Time and space partitioning is a key feature, King agrees. Time partitioning guarantees that one piece of software enjoys a certain amount of time on the CPU, regardless of what other software is doing. Similarly, space partitioning guarantees that software in one partition cannot corrupt the memory of the software in another partition, he explains.
"You can imagine safety-critical software systems, in which partitioning is not present, might have a piece of software inadvertently or maliciously interfere with the correct operation of another piece of software, preventing it from doing its job," King says. "In a worst-case scenario, it could cause the loss of the aircraft and the lives of those onboard."
Reliability is the core issue. "Look at it as guaranteed execution and resource availability," notes Greg Rose, vice president of marketing at DDC-I. "Another thing you get from time and space partitioning is the ability to run mixed-criticality applications. You can have some tasks executingat a higher level of importance and other tasks at lower levels of importance on the same box and still make sure things run. DDC-I's Deos has at its foundation time and space partitioning, guaranteed execution."
Time and space partitioning have become increasingly important, King says. "For size, weight, and power (SWaP) reasons, avionics manufacturers were including more andincreasingly complex functions; instead of adding a new box on the aircraft every time they added something like that, they integrated different types of applications onto the same central processing unit (CPU).
"They can save SWaP with fewerboxes on the airplane, but with all these different pieces of software on the same CPU, we have a potential conflict where one piece of software might have an error, whether inadvertently or maliciously, and impact the operation of other software. That's where the time and space partitioning comes into play," King adds.
"Perhaps a critical piece of software went through a very rigorousdevelopment verification process that took a lot of time and was very costly," King proposes. "I might also have non-critical software that went through a much less rigorous process, and it may have errors in it. I can safely mix both on the same CPU, because the RTOS underneath guarantees with time and spacepartitioning that the lower-criticality piece of software cannot somehow affect the correct operation of the higher-criticality piece of software."
The latest RTOS technology from Green Hills Software in Santa Bar-bara, Calif., combines the benefitsof partitioning and virtualization, and offers the ability to virtualize Microsoft Windows or Linux in safe and secure embedded systems.
"Introducing Microsoft Windows or Linux, whose security is only certified to protect against casual and inadvertent attempts to breach the system security, into any mil-aero application is fraught with danger to both lives and national security," says Dan O'Dowd, chief executive officer of Green Hills Software.
"The only way these operating systems can be made safe and secure is to virtualize them in a 'padded cell' whose safety and security is sufficient to protect classified and other high-valued information against sophisticated threat agents; i.e., SKPP EAL6+/High Robustness and RTCA DO-178B Level A," O'Dowd explains. "Our Padded Cell virtualization technology is the only virtualization technology to offer the RTCA DO-178B Level A and Separation Kernel Protection Profile (SKPP) Evaluation Assurance Level (EAL) 6+/High Robustness necessary to prevent Windows and Linux from harming the system's security and safety."
A feature-rich RTOS can be advantageous, but "it's wise to avoid overkill," Carbone says. "In other words, don't select an RTOS with more bells and whistles than you need; it just adds complexity, complicates learning and using, slows down development, and often costs more. Instead, identify the technology that's appropriate for the task at hand."
"You want an operating systemimposing as little overhead of its own as possible," King says, "so that you leave as much CPU bandwidth as possible for the actual value-added software-whether it's a flight control system, ground proximity warning system, or whatever it might be. People are very sensitive to the performance of the operating system and there are wide differences in the commercial off-the-shelf (COTS) products out there in that regard."
Consider how well the RTOS can respond to events, Day recommends. "Applications in the mil-aero industry often have to respond to many more events in a shorter time span than commercial systems, and the ramifications for not responding to events on time can be life-critical."
Multi-core processors very oftenlend to performance gains, and RTOS vendors are infusing operating systems with technologies and capabilities to take advantage of multiple cores. "VxWorks 653 now supports multi-core architectures, which will enable future designers to add even more applications to a single hardware platform," Wlad says. "Augmented with virtualization capability, our customers can add legacy applications based on Linux to an ARINC 653, DO-178C-certified environment. VxWorks technology supports open-standard APIs, such as ARINC 653 and POSIX, and a wide variety of the industry's latest multi-core architectures."
"We've been tracking the move to multi-core processors," says DDC-I's King, who is working to make Deos multi-core aware and multi-core capable. "From a safety-critical system developer point of view, those chips present very interesting challenges-in particular, regarding resource contention. If I have software running on two cores competing for one memory subsystem-there's resource contention. While one core is accessing it, the other one has to wait.
"What happens if core-zero has it tied up and core-one needs access to data because it is handling a critical calculation? I have to wait. That's a bad thing," King adds. "We're bringing unique, patented technology to bear that will address those challenges and allow customers to leverage the full power afforded by multi-core processors. Lacking that, you basically write software, run it on one core, and turn off the other cores, so you're losing a significant amount of processing power. We want to bring new technology to bear so you can leverage all that power."
"In mil-aero applications, safety and security are always paramount," says O'Dowd."Before considering an RTOS for any safety-related application, you should check its safety and security certifications. The gold standard for safety certification is RTCA DO-178B Level A, required for flight-critical software in aircraft.No RTCA DO-178B Level A software has ever been blamed for an aircraft fatality.Aircraft are the only software-intensive products for which the softwareis the least likely cause of failure. That is safe by anyone's definition."
DDC-I's Rose also stresses the importance of an RTOS from a vendor with a proven history of safety-critical operation and certification, including DO-178B. The military community "is quite aware of DO-178B and starting to embrace it," he says. "A lot of customers might not need full DO-178 certification today,but they can see the trend and the way things are going. They want to know that the RTOS they choose has those artifacts so that when they need them a year down the road, perhaps, they're available and they won't have to redesign their system."
"It's a trend we are seeing with almost every mil-aero customer," King confirms. "Every mil-aero customer I have talked to in years has asked about DO-178 certification."
Certification of an RTOS can be crucial. "Many aerospace applications require DO-178B certification," Carbone acknowledges, "so the RTOS you select should have already been certified by previous customers, should be available with full source code, and should be available with artifacts for your certification needs."
"The most important operating system characteristics for our aerospace and defense customers are: the ability to support safety requirements in RTCA DO-178B and DO-178C, and the inherent capability to support high Common Criteria security requirements for mission-critical systems," Wlad describes.
"At the end of the day, software vendors have to be able to certifytheir programs," King says. "They want a high degree of confidence that the operating system vendor is not going to introduce any risk into their certification. The ability to certify an OS in military applications is becoming more important by the week; it is increasingly a big part of the decision on the military side."
Avionics software aside, the gold standard for security certification is SKPP EAL 6+/High Robustness, explains O'Dowd."This standard states that it is appropriate to protect 'classified and other high-valued information' from 'sophisticated threat agents.' That is secure by anyone's definition. On the other hand, Microsoft Windows and Linux are only certified to protect against 'casual and inadvertent attempts to breach system security.' That is not secure by anyone's definition. Any RTOS that can't meet these high-level safety and security standards has no business being used in life-critical or security-critical mil-aero applications."
Aerospace firms often serve both military and commercial aviation customers. "In a lot of cases, customers can leverage technology, such as displays, from the commercial side in the military sector," admits Rose.
DDC-I and Quantum3D in San Jose, Calif., have partnered to provide a safety-critical, real-time displaysolution for next-generation electronic flight bag (EFB) cockpit display applications. The integrated solution boasts Quantum3D's OpenGL IGL-178 software graphics processing unit (GPU) running on DDC-I's Deos safety-critical RTOS. The DO-178B Level A-certifiable solution is suitable for use in Class 3 EFBs considered "installed equipment" and subject to airworthiness requirements.
"DDC-I's Deos and Quantum3D's IGL-178 provide an excellent platform for hosting next-generation safety-critical cockpit applications such as electronic flight bags," says Rose.
"We have deployed our IGL-178 technology in multiple programs," reveals Ray Niacaris, director of EVC sales at Quantum3D. "In addition to its ability to be integrated into safety-critical applications, the IGL-178 OpenGL software GPU offers powerconsumption savings and 20-year product life cycles, both of which are vital for aerospace applications."
Deos is a DO-178B Level A-certifiable embedded RTOS used in safety-critical avionics applications. A differentiator is its patented "slack scheduling" for high CPU utilization.
The specific military and aerospace application use case will determine the required RTOS characteristics, says Sonia Leal, product marketingmanager, RTOS Software at Mentor Graphics in Wilsonville, Ore. "For example, a commercial aerospace use case will dictate a certification requirement where single-core, time- and space-partitioned, DO-178B-certified RTOS solutions dominate.
"For military applications, such as software-defined radio (SDR), the RTOS will require high determinism, memory protection, and minimal to moderate footprint size, where a proprietary RTOS is well suited," Leal says. "SDR applications require an incredible amount of numerical translation and message passing between the receiver and transmitter, wherea general-purpose OS may not support the required determinism to handle the heavy communication."
Green Hills' Integrity RTOS and GateD Advanced Routing software are "at the heart of a next-generation Rockwell Collins software-defined radio network router, part of the Joint Tactical Radio System (JTRS) program," O'Dowd says.
Mentor Graphics developers continue to innovate, extending the functionality and capabilities of the company's Nucleus RTOS. Nucleusfeatures storage and database management; USB, networking, and multimedia support; and advanced graphical user interface capabilities.
Fritz Technologies, prime contractor for a U.S. Government high-assurance program, selected LynxSecure 4.0 from LynuxWorks as a foundation for its Multiple Independent Levels of Security (MILS) approach, including an environment in which servers and applications can process data on different classification levels, while enabling data-sharing between a fixed number of information nodes.
"Using standard hardware and the LynxSecure Separation Kernel and Embedded Hypervisor, we will be able to demonstrate a unique environment for running secure, multiple guest operating systems and high-assurance cross-domain data sharing," says Bobbi-Michelle Wehrfritz, CEO and founder, Fritz Technologies.
The LynxSecure separation kernel and hypervisor are entering the fifth generation. "Taking advantage of the latest hardware technology, LynxSecure is leading the way for a whole generation of multi-tenancy secure systems offering real-time determinism on the same physical system as traditional desktop OSs, such as Linux, Windows, and Solaris," Day says. "The ability to support symmetric multiprocessing guest OSs allows the easy migration of high-performance applications onto new secure virtualized platforms."
RTOS in space
The European Space Agency's Galileo civilian-controlled global navigation system takes advantage of the LynuxWorks LynxOS-178 RTOS, reportedly the first and only COTS RTOS to receiveReusable Software Component(RSC) acceptance for reusability from the FAA forDO-178B certification. LynxOS-178, at the heart of the Galileo system, will provide enhanced capabilities for communications across various devices and OSs on the ground and in space.
Galileo is designed to provideunprecedented accuracy (determining location to the meter), guaranteed availability, and compatibility with GPS and GLONASS positioning systems. Galileo will be used forlocation-based services; safety-critical tasks, such as running trains and landing airplanes, and search-and-rescue operations.
LynxOS-178 will be used in critical Galileo Mission Segments (GMS), a network of Earth-based stations that monitor signals from satellites and transmit navigation data to satellites.
"With its support of PowerPC and Pentium architectures, LynxOS-178 has been chosen as a result of a strict selection process," explains Bertrand Revol, sub project manager, Thales Alenia Space (formerly Alcatel Alenia Space), which is overseeing the Galileo project. "LynxOS-178 will provide us with the ability to guarantee availability of the satellite system under any circumstance."
DDC-I's Deos RTOS has been used to support various mil-aero functions, such as air data inertial reference units, displays, enhanced ground proximity warning systems, traffic collision avoidance system (TCAS), and weather radar, says King.
Septentrio Satellite Navigation N.V., a manufacturer of professional GNSS receivers in Leuven, Belgium, is using Deos in new engineering development. Deos, a high-performance RTOS for high-reliability and safety-critical applications, offers deterministic real-time response, memory protection, DO-178B Level A certification, "slack scheduling," and time and space partitioning.
"Customers are demanding more robust offerings in the satellite navigation arena," says Peter Grognard, CEO of Septentrio. "DDC-I's Deos operating system and comprehensive development tools provide the feature-rich, ultra-reliable platform required to build the demanding applications customers expect from us."
Express Logic's ThreadX RTOS is playing a vital role in the Mars Reconnaissance Orbiter (MRO) spacecraft, which is mapping the surface of Mars with high-resolution and infrared imaging SENSORS so scientists can gain a better understanding of the Red Planet, including its ability to support any form of life.
"ThreadX manages the high-resolution cameras on the MRO-an exceptional feat given the speed of the orbiter andthe complexity of capturing the data and transmitting it to Earth, all with minimal power and resources," says Carbone. "Notably,the photos takenfar exceed anything captured in the past."
Image collection is part of the High Resolution Imaging Science Experiment (HiRISE) developed by Ball Aerospace & Technologies Corp., the same design team responsible for NASA's successful Deep Impact mission, which also used ThreadX. HiRISE provides images of the surface of Mars with much finer resolution and a higher level of contrast than ever before. Managed by the ThreadX RTOS, HiRISE application software controls the acquisition of images across a six-kilometer swath of 20,000 pixels at a time, while the spacecraft sweeps over Mars' surfaceat a speed of 3,200 meters per second.
"The characteristics of ThreadX suited the demanding resource-constrained environment we needed," notes Steve Tarr, head of Ball Aerospace's HiRISE team. ThreadX manages all software aspects of image collection in the HiRISE system.
|Express Logic's ThreadX RTOS manages the high-resolution cameras on the Mars Reconnaissance Orbiter spacecraft.|
ThreadX is a small-footprint, responsive RTOS for demanding applications in resource-constrained systems, such as those aboard the Deep Impact spacecraft. ThreadX is integrated with Green Hills' Multi IDE and includes kernel-aware debugging, pre-configured project building, source code browsing, and EventAnalyzer execution logging for system and application event monitoring.
"In NASA's Deep Impact mission, a pair of spacecraft designed and built by Ball Aerospace & Technologies Corp. photographed and excavated material from the deep-space comet Tempel 1," Carbone says. "ThreadX played a key role in the project." Express Logic's RTOS managed the operation of the CCD camera controllers in all three instruments used on the Deep Impact mission: the High Resolution Imager, Medium Resolution Imager, and Impactor Targeting Sensor. All software for Deep Impact was developed with the Multi IDE.
Kongsberg Defence Systems officialsin Norway, selected Green Hills Soft-ware'sIntegrity RTOS, Multi IDE, and Green Hills Probeadvanced hardware debugger and networking middleware for the Joint Strike Missile.
Kongsberg engineers will use the Integrity RTOS in multiple, multicore computers on the Joint Strike Missile(JSM), which is being developed initially for the Royal Norwegian Air Force. The JSM, mounted externally or internally in the bomb bay of the Lockheed Martin F-35 Joint Strike Fighter, is intended for anti-surface warfare and naval fire support missions over sea and land. Green Hills Software products will also be used in the telemetric, safety launch, and planning software for JSM.
"We wanted a proven, reliable RTOS with a rich ecosystem of development tools and support for our Freescale Power Architecture processor," says Harald Ånnestad, president of Kongsberg Defence and Aerospace. Green Hills' EMEA Engineering Centre in the Netherlands will develop board support packages.
Wind River's VxWorks is deployed in unmanned systems, including Northrop Grumman's X-47B, says Wlad. The X-47B unmanned aircraft for the Navy demonstrates that an unmanned, tailless aircraft can operate safely and autonomously from aircraft carriers and refuel in-flight."The size and weight constraints of unmanned systems require that applications be consolidated onto single hardware platforms by making use of time and space partitioning or virtualization," Wlad says.
Northrop Grumman engineers leveraged VxWorks to create, deploy, and maintain critical applications for the program. GE Aviation officials also selected the RTOS as the foundation for the Common Core System, the backbone of UCAS-D computers, networks, and interfacing electronics, and the primary computing environment. "The UCAS-D program is an essential step toward the future of carrier-based unmanned systems technology," says Chip Downing, director of aerospace and defense at Wind River.