Engineer complex, connected systems for safety, security, and reliability

May 31, 2018
The probability that aerospace and defense systems will be under attack is increasing as applications become more challenging and complex, and modern systems contain a growing amount of software and execute in a connected world. Certain methodologies can prepare a system for these attacks. Chip Downing, senior director of aerospace and defense at Wind River, an Intel company based in Alameda, California, sat down with Intelligent Aerospace and Military & Aerospace Electronics editors to discuss security challenges and solutions in the face of rising threats.  

The challenging threat environment is altering the way software and hardware engineers build aerospace and defense systems. An industry veteran and security expert imparts advice on engineering resilient, high-integrity solutions.

Interview with Chip Downing, senior director of aerospace and defense at Wind River, by Courtney E. Howard

The probability that aerospace and defense systems will be under attack is increasing as applications become more challenging and complex, and modern systems contain a growing amount of software and execute in a connected world. Certain methodologies can prepare a system for these attacks.

Chip Downing, senior director of aerospace and defense at Wind River, an Intel company based in Alameda, California, sat down with Intelligent Aerospace and Military & Aerospace Electronics editors to discuss security challenges and solutions in the face of rising threats.

The investment required to achieve high levels of safety and security certification will always increase, Downing says, and is likely to alter the way software and hardware engineers build next-generation platforms. “Affordability is the new metric, the new enabler,” he says. “Embedded systems used to be inexpensive – this is no longer the case. Historically, embedded systems had a minimal impact on safety and security; today, they form the foundation of every safe and secure solution.”

Safety & security

What are the top safety and security challenges facing the aerospace and defense community?

There are three safety and security challenges that keep me up at night.

1. Can we truly trust our hardware? Even though we have very robust silicon design tools, we still have security gaps that are discovered in shipping silicon. Many of these hardware IP design and test tools are designed upon formal methods; we need to have these environments be built with the intelligence of a hacker, which goes outside the normal range of silicon design. As we create capabilities that underpin a hardware root of trust, like a trusted execution environment, cryptographic functions, and tamper-resistance, how do we test the integration and operation of this IP? How can we attest to its correct operation? Has this security foundation been compromised? How can we reliably separate the operations of different applications and operating systems on different sets of cores?

2. Additionally, with increasing complexity of multi-core hardware, how can we reliably achieve tough certification standards like RTCA DO-254, Design Assurance Guidance for Airborne Electronic Hardware? If we achieve it, can we trust it?

3. And finally, can we build, and continue to build open virtualization platforms on top of this new multi-core silicon that will safely and securely, and possibly dynamically, manage the many disparate applications and operating systems running on these multi-core processors?

The answers to these questions are: “Yes we can” but everyone will have a higher dependence on silicon IP that helps solves these challenges and can robustly prove the solution under a wide variety of load conditions and threat exposures.

Wind River and our competitors have created RTCA DO-178C DAL A solutions for our current product lines using today’s multi-core processors, but to continue to do this will involve higher risk and greater investment. We now have good metrics on ARM, Intel, and Power multi-core processors, and the trend is longer time frames and greater investment regardless of the processor architecture.

My fear is that while we can achieve high levels of safety and security certification, the investment required to do so will always increase, and we will bump into an affordability ceiling that will alter the way we build next-generation platforms.

How is the FACE™ Consortium and it’s technical standard helping to solve safety and security challenges, boost safety and security, help modernize platforms, and meet evolving regulations?

The Open Group Future Airborne Capability Environment (FACE) Consortium continues to march forward, building more capability into the latest FACE Technical Standard, Edition 3.0. This revision not only added more refinements of the previous capabilities but has also enhanced the data architecture, and an integrated component framework to increase reliability, portability, and utility over multiple aircraft types.

The FACE Consortium has always had a concern and commitment for safety and security, and early on in the life of the Consortium created specific subcommittees for both Safety and Security. The results are in the latest FACE Technical Standard, Edition 3.0. The key to success of the FACE approach is that we are creating a COTS market for these avionics components, most of which will have a medium to high level of safety and security concerns. This market creates a better environment for investing in safety and security capabilities.

One of the foundations of forming the FACE Consortium was to increase affordability. Building ad hoc, piecemeal, or bespoke safety and security capabilities is no longer tenable. To have truly effective safety and security solutions the cost of building these solutions needs to be amortized over multiple programs, projects, and platforms. Otherwise, it is unaffordable and will only solve a minimum of concerns that will prove to be ineffective in today’s hostile environments.

©2017, The Open Group

What’s on the horizon? Where is the industry headed?

In the immediate future, Wind River will be spun out of Intel and acquired by TPG. This will re-establish Wind River as a leading independent software provider that is uniquely positioned to accelerate digital transformation for our global critical infrastructure customer base. This is well-timed as the entire industry is seeing an explosion of heterogeneous multi-core hardware platforms that will require Wind River’s wide range of software solutions in aerospace, defense, automotive, industrial, medical, networking, and other critical systems.

As we look over the horizon at a more autonomous world, it is interesting to see that other industries are now beginning to understand how important safety, security, and reliability are to future systems. This is good for all affected industries because we can all leverage safety and security work done in other markets to reduce the risk and investment required to satisfy more demanding requirements in our own.

Affordability is the new metric, the new enabler. Embedded systems used to be inexpensive – this is no longer the case. Historically, embedded systems had a minimal impact on safety and security; today, they form the foundation of every safe and secure solution.

The ARINC 653 avionics standard that defines the foundation of an integrated modular avionics (IMA) platform is built into the FACE Technical Standard. This enables a very dense consolidation of airborne applications hosted on a single microprocessor. This increases affordability because we now have a small number of integrated modular avionics (IMA) platforms versus a large number of single-purpose federated platforms. Each architecture has benefits and challenges as summarized by the table below:

Federated Systems Architecture

Integrated Modular Avionics (IMA) Architecture

+ Simpler architecture

+ Lower SWaP requirements

+ Design independence

+ More efficient use of multi-core hardware

+ Certification independence

+ Common hardware architecture

+ Standard supply chain flow

+ Ease of cross-platform software portability

- - Increase in size, weight, and power (SWaP)

+ Integrated redundancy / failover

- - Greater tendency for hardware uniqueness

+ Can support multiple levels of safety and security

- - Multiple supported hardware platforms

+ Can support multiple OS environments

- - Hardware-specific redundancy

- Higher complexity of design

- - Single level of safety and/or security

- Multiple supplier support more challenging

- - Poor utilization/optimization of hardware

- Greater complexity of systems integration

- - Single OS support

- More complex test and integration

As processors get more powerful, and commercial off-the-shelf (COTS) IMA solutions like Wind River’s VxWorks 653 become available on the latest ARM, Intel, and Power multi-core processors, the argument for using IMA in future designs becomes more compelling.


Why is the choice of software platform/solution key for aerospace and defense, safety-critical, and autonomous systems?

Increasing complexity and both hardware and software is driving the careful selection of more capable OS foundations in all industries. A rich selection of multi-core hardware with ARM, Intel, and Power architectures, coupled with hardware virtualization support is enabling not only multiple real-time operating system (RTOS) functionality but also unmodified guest OS capabilities, including enterprise OSs like Linux.

This exponentially increasing platform support is attracting even more software to be inserted onto these consolidated systems. When we had relatively simple microprocessors with single function applications, the choice of an RTOS or application scheduler was not a tough or critical decision. But with today’s densely consolidated multi-core platforms, one must be extremely careful about selecting a virtualization foundation that can support the constantly-changing system over time. This virtualization needs to be an open solution that can support a wide range of virtual machines (VMs) and operating environments – otherwise your system will not be able to stay current with the newest security patches and operating systems.

What should companies consider when selecting a software platform/solution for A&D and safety-critical projects? Any advice you can offer software engineers and managers?

Yes, this is a very critical decision, and one that can prematurely end the life of a system if one does not think about total-cost-of-ownership (TCO).

· Create common, virtualized platforms that can be utilized across multiple product lines in the company. Due to the increase in personnel costs and in platform maintenance costs the days of each segment of a company’s product portfolio developing their own proprietary and unique hardware and software platform are coming to an end. Companies need to create common virtualization platforms that enable the use of any guest operating system, embedded or enterprise, to be deployed in any segment or application area across the enterprise. This platform needs to support open architectures and multiple guest OS virtual machines, like POSIX, ARINC 653, Linux, and possibly VxWorks. Investing in one powerful platform that each product segment can use with ease eliminates the wasted design, development, and support costs of many single-use, proprietary internal platforms that no longer drive a competitive advantage.

· Use industry standards. Historically it was advantageous to create highly proprietary solutions that were hard to penetrate by competitors. In our new virtualized, software-defined world, this is no longer a successful product strategy. Next generation platforms need to provide an open standards-based system that is capable and ready to adapt to any modern or legacy operating system and application environment. Proven open software standards that span both commercial and military usage, like POSIX and ARINC 653, have the available market and therefore can allow development costs to be amortized across many customer environments.

· Use commercial-off-the-shelf (COTS) components. Today there is a very rich and competitive software components ecosystem serving the global aerospace and defense industry. Most of these software packages not only have well-defined test/quality credentials, but may also have high technology readiness levels (TRLs) that will accelerate time-to-deployment and program acceptance.

· Use COTS safety and security evidence. In addition to having high TRLs, many COTS software suppliers have robust safety and security certification evidence available as a COTS offering. These packages can drive test/acceptance and airworthiness costs down, and accelerate time-to-market and time-to-deployment. These characteristics drive up affordability and advance time-to-revenue.

· Enable your integrated supply chain with independence. As platform consolidation and IMA systems on multi-core processors become the norm, your supply chain needs to be able to design, develop, test, and ship components to your systems integration center with minimal dependences. Capabilities like Wind River’s VxWorks 653 independent build, link, and load (IBLL) enable the supply chain to ship only tested binaries and XML configuration to systems integrators with minimal disruption of other supplier’s activities and the system integration efforts.

· Insist on robust partitioning across the platform. Robust partitioning eliminates the requirement to re-test your entire platform when any change is made. Robust partitioning is a hard requirement for any complex integrated system, and enables a drastic reduction on the total-cost-of-ownership (TCO). Integrated systems without robust partitioning are untenable for long-lifespan products, and exponentially increase lifecycle costs.

All these decisions need to have a strong focus on TCO. It is very easy and appealing to have one team in a design flow make decisions that negatively impact TCO that may not show up until after a product or platform is deployed. These decisions can make your overall system less affordable and less competitive. They are also more difficult and costly for both the supplier and customer to maintain. Never lose focus on TCO.

Wind River is partnering with more A&D technology companies, including hardware and software companies. What is the goal?

Wind River cannot write all the software our customers need. We need strong, industry-leading partners that can work with Wind River to provide unique and compelling solution stacks that remove risk, increase capability, drive up quality, and reduce time-to-market (TTM) and deployment.

We worked with Presagis and CoreAVI last year to create a very compelling, award-winning solution stack modeled after an unmanned aerial vehicle (UAV) control system, but the technology can be used to control any type of environment. Bringing the Presagis multi-touch design graphical user interface (GUI) to the fight and coupling this with CoreAVI graphics drivers allowed us to present a COTS solution stack that launches rapid innovation, industry-leading technology, and accelerated time-to-certification for our customers.

Any notable changes as a result of Wind River’s recent acquisition?

We are just about to turn the page on the next chapter of Wind River. We will be releasing more information on this exciting event later in the year.

Real-world and cutting-edge

How are Wind River solutions being used today? Any cutting-edge aerospace and defense projects?

Well, as you know, in aerospace and defense we cannot discuss the coolest applications of our technology until long after it is fielded. However, we can discuss two recent success stories.

1. NASA Insight Mission. Earlier in May NASA’s Mars Interior Exploration using Seismic Investigations, Geodesy and Heat Transport (InSight) mission was launched from Vandenberg Air Force Base on a 300-million-mile trip to Mars to study for the first time what lies deep beneath the surface of the Red Planet. InSight is scheduled to land on the Red Planet on 26 Nov. 2018 where it will conduct science operations. The Mars InSight rover’s avionics system is based upon VxWorks, and the flight software, written in C and C++ on top of VxWorks, monitors the status and health of the spacecraft during all phases of the mission, checks for the presence of commands to execute, performs communication functions, and controls spacecraft activities. This is another great success story for VxWorks in Space. My blog on this launch has more details.

2. AgustaWestland Project Zero. Wind River VxWorks 653 Platform was chosen by AgustaWestland for its revolutionary “Project Zero” tilt-rotor technology incubator, an unmanned all-electric tilt-rotor, designed to hover like a helicopter and convert to a fixed wing aircraft in forward flight. AgustaWestland engineers worked with Wind River’s Professional Services team to develop an open systems platform based upon ARINC 653, and were able to design, develop, build, and test its unmanned rotorcraft in 12 months. VxWorks 653’s robust partitioning capabilities enabled the joint development teams to quickly modify the system in order to support changes in customer requirements.

There is a very nice YouTube video at:

We are designed into some really innovative, new projects with industry-leading customers. Stay tuned for future announcements on those fronts as we are released to discuss them.

Why are engineers actively choosing Wind River products for next-generation aerospace programs?

The AgustaWestland Project One success story is a good example of the type of value customers are turning to Wind River to deliver. First, VxWorks 653 is standards-based, supporting both ARINC 653 and POSIX, and was certified as FACE conformant in March 2017, the first RTOS to achieve FACE conformance for the Operating System Segment (OSS) Safety Base Profile.

Second, we have powerful tools in our VxWorks 653 development platform that enable RTCA DO-297 IMA supplier roles, allowing multiple application suppliers to deliver software binaries and XML configuration code independently and asynchronously to a systems integrator, eliminating messy multi-supplier integration sessions.

Third, we support robust partitioning that reduces the re-test of an IMA platform to only the scope of the change, not the entire platform, saving significant cost on large programs.

Lastly, we have COTS certification evidence for both single-core and multi-core processors that reduce both cost and risk on DO-178C certified platforms.

Hot topics

Aerospace and defense firms are actively working on and toward all-electric aircraft. Does digitization (more digital and all digital systems) increase the susceptibility of systems and platforms to security issues?

As systems contain more software, and applications are more challenging and complex, and execute in a connected world, the probability that these systems will be under attack will increase. There are methodologies that can prepare a system for these attacks:

1. System architecture. We need to transition from an integrated modular avionics design that partitions the capabilities into hardware-protected virtual machines (VMs) that reduce impact of the failure, due to either safety or security, of any component in the IMA platform.

2. Design for change. Coupled with a strong systems architecture a new platform must be designed for a lifetime of change. Systems must be ready to accept updated application components at any point in its operation. These systems must provide a structured method of integrating these changes that minimizes the impact on the entire system

3. Test-reducing model-based engineering (MBE) design tools. The days of designing and developing software systems “from scratch” and “by hand” are over. Our industry now has a rich collection of design tools that are based upon formal methods and other technologies, like Ansys SCADE and Presagis VAPS XT. These tools allow designers to create complex critical systems using an advanced GUI environment. Auto-generation of code that is correct-by-construction provides code that does not need white box testing. This generated code can now be immediately integrated with other software and data structures to accelerate time-to-deployment. This is the future and eliminates many human-generated oversights.

4. Design for safety and security. In our Internet-of-Things (IoT) world we have evolved from disparate, disconnected embedded devices to a world of highly-connected, always-on, systems of embedded platforms that will always have a safety and security impact. In addition, these systems will always be under attack by an ever-more-sophisticated army of networked security threats. This is the most important aspect of your platform design. Creating a robust, resilient, and dynamic environment for protecting and enforcing the safety and security of any solution can impact affordability more than any other factor.

5. Design for Trust. Complex, software-defined, multi-core open virtualization platforms are tough to build, tough to test, and tough to maintain over a product lifecycle. One must create trusted architectures, design components, build and test processes, and proven COTS software components to form a foundation of trust that allow the focus on new, highly competitive aspects that do not have proven safety, security, and operational credentials. Using trusted components drives down program risk and accelerates time-to-market and deployment.

What is the current state of unmanned aircraft system (UAS) safety and security? What’s new and what’s Wind River’s role in facilitating safe/secure UAS?

It appears that larger UAS platforms, especially those in the U.S. military, have proven their safety and security in service. However, as UAS platforms get smaller in size, the safety, security, and failure rates seem to increase. We all know how to fix the quality and reliability challenges, but many smaller UAS systems may be challenged to afford more complete and compelling safety, security, and reliability efforts.

Wind River products provide a comprehensive set of security features to efficiently and effectively safeguard devices, data, and intellectual property in the connected world, securing it while it is at rest inside devices and when it travels across the network and into cloud environments. Our built-in security capabilities, security services offering, along with our development processes, meet rigorous security requirements across industries.

The X-47B by Northrop Grumman is the first tailless, autonomous unmanned
aircraft for carrier operations. Wind River VxWorks is its primary computing environment.

Recent accidents involving driverless vehicles are drawing public and political attention (and criticism). Do you have advice for makers of autonomous systems to better ensure the safety and security of systems/platforms?

The bar with autonomous vehicles needs to be zero deaths. Automobile crashes kill about 40,000 people per year in the U.S. alone – this certainly cannot be the bar. The autonomous vehicle industry needs to look at global commercial aerospace industry and learn how the FAA, EASA, and other air transport agencies have set the bar at zero deaths, and have recently achieved this remarkable milestone.

There are no short-cuts to high levels of safety and security – the autonomous vehicle industries cannot look at their past vehicles as a reference point; they need to look at proven aircraft certification processes and procedures to stop their legacy of tens of thousands of deaths per year.

Should aerospace and defense organizations be concerned about security when implementing cloud or Internet of Things (IoT) technologies?

Moving systems to the cloud and extending systems to include a multitude of IoT devices expands the security attack surface. We have migrated from single system security to globally connected, end-to-end security – no device is safe or free from increased security design rigor.

Security needs to be designed into a complete system, and this is really hard when multiple individuals, suppliers, and domains control the design, development, implementation, and maintenance of the system.

We need to start with resilient system architecture, and plan for change of this architecture as security weaknesses are discovered over life of the platform. Humans cannot do all the work; we need to use the latest model-based engineering (MBE) design and test tools to build trust into key components of a platform, and then verify that these components can support high levels of safety and security.

This is challenging – no one can apply high levels of safety and security rigor into every device and platform in the information flow, so we will need to determine ways to qualify devices in the network that do not have existing quality credentials. We need to evolve our view of a system where every device now can have an impact on the safety, security, and reliability of a system.

Air traffic management systems worldwide are being modernized. Is security a major concern? Do Wind River solutions play a role in securing ATM/ATC, particularly as more unmanned aircraft, autonomous aircraft, and rockets take to the skies?

Wind River products are designed into many of the manned aircraft, unmanned aircraft, autonomous aircraft, launch vehicles, and satellites today. Security is always a primary concern, especially as the number and diversity of systems increases. Wind River products provide a comprehensive set of security features to efficiently and effectively safeguard devices, data, and intellectual property in the connected world, securing it while it is at rest inside devices and when it travels across the network and into cloud environments.

Our built-in security capabilities, security services offering, along with our development processes, meet rigorous security requirements across industries. The challenge facing the industry is how do we implement robust security across the entire range of devices, especially the smaller, less expensive devices that may not have the budget or market to support provable security.

About Chip Downing

Chip Downing, senior director of business development for aerospace and defense at Wind River Systems, is a 20-year veteran of the embedded systems industry, a pioneer in safety certification for commercial real-time operating systems (RTOS), and chair of the Future Airborne Capability Environment (FACE) Business Working Group, as well as its Outreach Committee.

Is Wind River involved in the move to Software as a Service (SaaS) solutions?

Yes, Wind River is involved in the move to SaaS. We have evolved from being an RTOS company to having a comprehensive edge to cloud software portfolio. And Wind River is helping our customers evolve from a single-purpose, hardware-defined platform to a multiple-capability, software-defined platform. Robust virtualization solutions from Wind River naturally enable our customers to grow into a more efficient, powerful, and flexible SaaS future.

Any parting advice or recommendations for aerospace and defense companies, from defense contractors to commercial aviation and space innovators, such as makers of satellites and spacecraft?

Aerospace and defensecompanies should be making investments in next-generation, multi-core systems. And I would encourage these companies to have a conversation with Wind River as we continue to invest aggressively in creating innovative, software-defined foundations that can make any new platform more powerful and affordable, with higher levels of safety, security, and reliability than any legacy solution.

Voice your opinion!

To join the conversation, and become an exclusive member of Military Aerospace, create an account today!