By John McHale
Avionics integrators are demanding software with extensive airworthiness certification and documentation for use aboard aircraft flying over U.S. commercial airspace. The standard they use is RTCA/DO-178B as adopted by the Federal Aviation Administration
Come fly the friendly skies," a popular slogan of a well-known airline, attempts to express the safety of air travel. At the root of such guarantees are thousands of documents detailing the airworthiness, reliability, and safety of each and every part of commercial and military aircraft including real-time operating systems (RTOSs).
Officials of the Federal Aviation Administration (FAA) in Washington require that software in airborne systems and equipment be certified under RTCA/DO-178B, "Software considerations in Airborne Systems and Equipment Certification," to provide guidance in the production of software for airborne systems.
RTCA Inc., the Radio Technical Commission for Aeronautics in Washington, is a private, not-for-profit corporation that develops consensus-based recommendations regarding communications, navigation, surveillance, and air-traffic management system issues. RTCA functions as a federal advisory committee. FAA leaders use RTCA recommendations as the basis for policy, program, and regulatory decisions. Executives in private industry also use RTCA recommendations as the basis for development, investment, and other business decisions.
The military does not require compliance with DO-178B. Yet military leaders recognize that they need 100 percent reliability of life- and mission-critical flight software especially with the growing use of commercial-off-the-shelf (COTS) technology, explains Tony Baghai, assistant software design engineer representative for the FAA working with TekSci, a Phoenix-based software consulting firm focused on high-reliability and high-availability systems development.
TekSci recently became part of Enea Data AB to support the North American expansion of Enea OSE Systems, another owned subsidiary of Enea Data of Sweden. TekSci engineers have extensive experience certifying systems and software according to safety standards such as DO-178B.
Military prime contractors find that complying with DO-178B is important because of increasing numbers of military aircraft that fly over civil population centers, and the growing use of military avionics subsystems in commercial aircraft, says Doug Saulsbury, director of aerospace and defense marketing at real-time software provider LynuxWorks in San Jose, Calif.
DO-178B — and its counterpart ED-12B in Europe — was developed through the cooperative efforts of RTCA and the European Organization for Civil Aviation Equipment (EUROCAE). DO-178B provides guidelines for the software development process yet is not a development standard or process document. Software developers may use any development methodology as long as the criteria in DO-178B are satisfied in the areas of planning, software development (requirements definition, design, code, integration, and verification), configuration management, and quality assurance.
DO-178B recognizes that different applications and systems have different potential for failure. Accordingly, five software levels (A through E) have been defined for the effort required to show certification compliance in accordance with the different hazard classifications. The effort required for each level is on a sliding scale with the Level A, the most safety-critical, requiring the most scrutiny and Level E, the least critical, requiring the least scrutiny. As defined in DO-178B, failure or anomalous behavior of Level A software could have a catastrophic effect for an aircraft, while Level B is for software that could have a hazardous or severe-major effect. Levels C and D have to do with major and minor effects, respectively, and Level E with software that would have no effect.
DO-178 was originally published in 1980, with version A released in 1985, and version B in 1992, Baghai says. RTCA developed the documentation, then published it through ARINC in Annapolis, Md., and the FAA then mandated it for any software used in commercial aircraft avionics systems, he adds.
Prime contractors only apply DO-178B guidelines to software in systems that must be FAA-certified, says Gareth Noyes, product marketing manager for certification at Wind River Systems in Alameda, Calif. While Wind River and other RTOS vendors are working on doing that for them, the primes still have to certify the rest of the system, he explains.
Wind River's DO-178B certification of the company's VxWorks RTOS should be ready by the end of 2001, Noyes adds. VxWorks is the fundamental runtime component of the company's Tornado II embedded development platform and is part of many defense applications including advanced avionics, fire control, sonar/radar, navigation and guidance, command and control, simulation, and space and missile systems.
It is in the interest of all to have certified, fault-tolerant software to ensure the safety of the application, says John Carbone, vice president of marketing at Green Hills Software in Santa Barbara, Calif. Engineers at Green Hills recently released Version 3.0 of their Integrity RTOS. Tightly integrated with Green Hills' MULTI software development environment, Integrity 3.0 is a memory-protected RTOS designed for mission-critical embedded applications.
A typical software application has many segments to certify. As such, RTOS vendors provide extra services to their clients when they take the software certification burden on themselves, Carbone says. Instead of going through all the man-hours of paperwork themselves the customer can just refer to documentation the RTOS vendors generate, he adds.
DO-178B compliance is necessary to ensure software reliability, especially with the Free Flight technology of the future, which will help air traffic controllers at very crowded airports, Noyes says. Free Flight would enable the flight electronics on each aircraft to determine its own flight path using continuously updated information from radar, other aircraft, and weather forecasters, he adds.
Software becomes even more critical in this type of situation and needs to be certified, Noyes claims.
Testing and certification under DO-178B before the customer buys the product also helps weeds out any errors or bugs that may have missed initial inspection, Baghai says.
"I grew up developing software and systems for the military," Saulsbury says, "and the internal methods used essentially provided DO-178B-like certification as the product was developed." Yet commercial software development did not follow the same path, he adds. Now all of a sudden customers are asking for the certification of COTS software to reduce risk, Saulsbury says.
RTOS vendors need to examine their whole process, hire trained experts to do certification, work with an FAA-designated engineering representative, and even work with consulting companies such as TekSci, he says.
It is a large investment but will have long lasting benefits, Saulsbury continues. The LynuxWorks RTOS called LynxOS, should be certified by the end of 2001, he adds. Then LynxOS will be known as a DO-178B compliant RTOS, which only enhances its reputation as a reliable operating system, Saulsbury says.
LynuxWorks experts offer the Posix-based LynxOS RTOS and offer a product called BlueCat Linux. BlueCat Linux is part of the company's LynuxWorks suite that enables embedded systems development of both BlueCat Linux and LynxOS with a common compatible toolset. Lynx customers can use LynxOS for their real-time functions, then switch to BlueCat to run graphics and other non-real-time functions, LynuxWorks officials say.
Already the demand for DO-178B-complaint systems is moving beyond the avionics field and into ground applications, Saulsbury claims. If a customer has a high-end application in a safety-critical environment, he will want a certified RTOS running it, Saulsbury says. It is the same thing with cars — if you have a Ferrari you would not take it to a Chevy guy, you want a certified Ferrari expert working on it, he adds.
Separating certified from uncertified
One key thing to look for when choosing software is terminology, Baghai says. Some systems may claim to be certifiable but are actually not certified; that is a big difference, he explains. It takes almost three years to become complaint with DO-178B, Baghai says, and a customer willing to take that burden on himself better be willing to bear the cost of achieving compliance.
Smaller customers who are working on a low-level application where the safety certification is not critical should also proceed with caution even when purchasing a DO-178B-certified RTOS because it can be expensive, Baghai explains.
Enea OSE experts started the certification of their OSE RTOS in 1995 and completed it last year, becoming the first major RTOS vendor to do so, Baghai claims. The OSE RTOS supports fault-tolerant systems that are designed to enable recovery from hardware and software failures. OSE differs from other RTOSs by adopting message passing as its primary method of interprocess communication.
The OSE real-time kernel is a foundation for systems requiring pre-emptive capabilities in environments ranging from simple switches to complex instrumentation, Enea OSE officials say. The OSE Link Handler enables applications to take advantage of several different processors in one system.
OSE's Memory Management System (MMS) offers design engineers a window into the system's memory resources, as well as parameters to protect critical memory spaces memory overwrites or unauthorized access, Enea OSE officials says. DO-178B applies not only to software processes, but also to the information flow from software to system, they explain. The safety assessment process focuses in part on traceability between system requirements and software design data, Enea OSE officials say.
Most software vendors have about 30 to 35 percent of their system tested leaving the remaining 65 to 70 percent to the customer, Baghai says.
There are three categories of RTOS vendors in regard to certification, Baghai continues. The first is the "roll your own RTOS" category, where many different companies create proprietary RTOSs for specific applications and have no need for DO-178B certification, he explains.
The second includes RTOS vendors such as LynuxWorks and Wind River, which certify about 40 percent of a system and leave the rest to the customer, Baghai says. However, both companies are currently working to have compliance for their respective RTOSs, he adds.
The third category consists of companies like Enea OSE, which offers an off the shelf DO-178B-compliant microkernel, Baghai says. "I'd feel much safer when myself or my family boards an aircraft that is certified 100 percent under DO-178B," TekSci's Baghai says.
DO-178B and open source
Certifying open-source code under DO-178B provides a different challenge than certifying proprietary code, Saulsbury says. "We recently received a request for a quote for using Linux in a 178-B environment," he adds.
This was the first request but there will probably be more to follow so the subject definitely needs to be discussed, Saulsbury says.
Companies such as Wind River own and control their code and can deal with upgrades easily and can control what part of the code changes and which does not, he explains. However, this is not the case with open source, he adds.
When certifying an open-source system such as Linux, "the first thing to is identify which release to base the certification work on and then freeze its configuration, put it under tight configuration control, and don't automatically upgrade," Saulsbury says.
The best way to handle upgrades is to examine an upgraded version by doing a line-to-line comparison to uncover the differences in the code, he continues. Then decide whether or not you wish to incorporate the changes then if so how, Saulsbury says. One method is to reverse engineer the code to modify it while still supporting the original design architecture, he adds.
One advantage to certifying open-source code is that "you have a large engineering base that hopefully will require less training," Saulsbury says.
Cogent AirNAV system uses ONX RTOS
Engineers at Cogent Real-Time Systems in Georgetown, Ontario, needed a high-reliability real-time operating system (RTOS) to run their AirNAV helicopter navigation system. They chose the QNX 4 real-time operating system from QNX Software Systems in Ottawa, Ontario.
"The reliability and performance of AirNAV was, in fact, such a priority that it governed the selection of the OS for the project," says Paul Benford, business manager at Cogent. "Our only viable choice was to use QNX and the Photon microGUI. Networking proved to be another key feature in our choice of QNX. We saw the ability to effortlessly attach network nodes running other data-gathering processes as a major advantage over other operating systems.
"Thanks to QNX, the [AirNAV] modular architecture allows for additional measurement devices to be added with minimal effort and with no significant effect on the performance of the current system, Benford says. With QNX and Cogent software, we've raised the performance and flexibility of navigation systems to a new level."
One of the POSIX-based QNX RTOS's best features is its memory protection, says Paul Leroux, technology analyst at QNX. Conventional operating systems use one flat memory architecture where hard-to-detect programming errors like corrupt C pointers can cause programs to overwrite each other or the kernel, QNX officials say. The inevitable result is system failure.
The QNX 4 RTOS has all the advantages of a true microkernel — it is small, scalable, extensible, and fast, QNX officials claim. As a true microkernel, the QNX RTOS starts with a core of highly reliable code, that is small enough for ROMable embedded applications, yet powerful enough to run a distributed network of several hundred processors, they explain.
QNX 4 also has a robust protected-mode environment, which enables users to test their extensions and try new approaches, without fear of the system crashing. The system has low operating system overhead and executive-class speed, enabling users to deliver low-cost PC-based products that often outperform costly high-end systems, QNX officials say.
The QNX microkernel handles process creation, memory management, and timer control. QNX engineers use transparent distributed processing to enable users to launch processes across the QNX network, allowing for full inheritance of the environment, including open files, current directory, file descriptors, and user ID. The microkernel also includes POSIX.1 (certified) and many POSIX.1b real-time services, as well as high-speed diagnostic event tracing.
The QNX RTOS is also sophisticated because it uses message-passing technology for communication within the system, Leroux explains.
Cogent engineers built the AirNAV system in approximately seven months, Benford says. "A state-of-the-art navigation system, AirNAV is based on an earlier Windows- based prototype that was plagued with speed and stability problems and therefore was never commercialized, he explains.
"The system reads, timestamps, and stores data from radar altimeters and other devices that monitor flight speed and direction," Benford continues. The speed at which data is generated and the speed of the aircraft itself means that AirNAV must handle information with millisecond accuracy, he adds.
"AirNAV uses real-time GPS information to display the position of the aircraft at all times," Benford claims. "From the moment the system is turned on, the pilot can see exactly where the aircraft is on the surface of the earth, with an accuracy of plus or minus 16 feet — the current accuracy limit imposed by the [United States] government for satellite data."
The AirNAV system, mounted in the helicopter cockpit, displays a home base, a number of waypoints, and one or more survey areas," Benford says. "Each survey area contains survey lines that a pilot uses to ensure the entire target area is covered. The area around the survey, called the 'vicinity,' marks the region within which the data acquisition system begins to log data. On a long flight from home base to the survey area, the system displays navigation information en route, so the pilot can fly the shortest path." —J.M.
DY 4 Systems supports VxWorks AE on its PowerPC-based single-board computer
Engineers at DY 4 Systems in Kanata, Ontario, recently announced that its SVME/DMV-179 board support package (BSP) and driver suite will now support VxWorks AE - a next-generation, real-time operating system and integrated development platform from Wind River Systems in Alameda, Calif.
DY 4's SVME/DMV-179 is a PowerPC-based VME board for military and aerospace applications including fighter aircraft radar data processors, helicopter-mounted infrared targeting systems, and airborne and ground-based military data links.
DY 4's BSP and driver suite for VxWorks AE will enable customers to take advantage of the I/O capabilities of the 179 platform while benefiting from the Protection Domains technology provided by VxWorks AE, DY 4 officials say. With Protection Domains, VxWorks AE tasks running on the 179 products can optionally run in a protected memory space.
"Just as in other areas of the embedded computer world, the software applications developed by defense/aerospace equipment suppliers continue to get more complex, more interconnected, and more critical to the success of the mission," says Anthony Siregar, vice president of marketing for DY 4. "VxWorks AE's protected memory model will allow DY 4 and Wind River's mutual customers to reduce the cost of developing robust, highly reliable software, furthering the competitive advantage of basing defense/aerospace systems on off-the-shelf solutions such as those that Wind River and DY 4 provide."
The suite of drivers and libraries included in the BSP and driver suite completely isolates application developers from the underlying hardware, DY 4 officials say. In addition to support for standard items such as Ethernet, SCSI, asynchronous serial, PCI, VME, and system timers, the BSP and driver suite provide a set of drivers for VME, DMA, PCI, synchronous serial, general purpose user timers, discrete digital I/O, real-time clock, Flash reprogramming, and initiated and continuous built-in-test. — J.M.
U.S. Navy destroyers use VenturCom and VersaLogic solution for rudder control
Officials at Litton Marine Systems in Charlottesville, Va., recently selected a software and hardware solution for the rudder-control system on U.S. Navy destroyers that runs on the Windows NT embedded operating system.
This approach combines the Panther PC/104-Plus single board computer from VersaLogic in Eugene, Ore., with Cambridge, Mass.-based VenturCom's RTX real-time enabling technology for Windows.
The rudder-control system is on two of the Navy's Arleigh Burke-class destroyers (DDG 89 and DDG 90), says Myron Zimmerman, chief technology officer at VenturCom.
Litton Marine's RTX-based rudder control system contains four VersaLogic embedded Pentium computers networked via a dual Ethernet connection, and operates on Windows NT Embedded. This design platform provides a robust user interface, a common development and testing platform, and integrates several pre-written off-the-shelf Windows-based applications, VenturCom officials say.
VenturCom officials have created configurations which speed the development of real-time Windows NT and Windows NT Embedded-based systems across VersaLogic's Panther and VSBC-6, their PC/104-Plus, and EBX single board computers under an agreement between VenturCom and VersaLogic. These configurations will be made available to engineers at no cost through VenturCom's CENTer Web site http://www.vci.com/CENTer.
VersaLogic also joins VenturCom's Channel Partner program, and becomes an official reseller of VenturCom's RTX for Microsoft Windows NT, Windows 2000, and Windows NT Embedded, as well as Platform Evaluator, a tool for measuring real-time responsiveness across hardware platforms.
VenturCom's RTX extensions are also on flight simulators from CAE in Montreal, Zimmerman says. The RTX features enable local and Internet-based supervision by flight instructors.
VenturCom, engineers also recently released the next generation Windows extension product, RTX 5.0. It is the first real-time extension software available for the Microsoft Windows 2000 operating system, VenturCom officials say.
RTX 5.0 adds a finer degree of task scheduling and timing control to Windows 2000 as well as to Windows NT and Windows NT Embedded 4.0, VenturCom officials say. The added control enables engineers of next generation communications, office automation, industrial, medical and entertainment equipment to reliably develop and deploy high performance, mission-critical applications that run on Windows operating systems, VenturCom officials claim.
The reliability of Windows has also been improved with Windows 2000 through reduced reboot time and a self-healing capability, which can maintain applications during a system failure, Zimmerman says.
VenturCom's RTX enables high performance real-time and non real-time processing to take place on one processor. The product is the only native, Win32-based real-time extension technology for Microsoft Windows operating systems. Many applications of this technology have already been developed and deployed using earlier versions of RTX with Windows NT and Windows NT Embedded 4.0.
RTX 5.0 features include: a Win32 application program interface (API) that enables developers to leverage existing knowledge and development tools for time critical computing applications; the ability to start as an application, or early in the Windows boot cycle (as a device driver) providing fast start and control independent of Windows.; additional API functions for direct access to hardware, optimizing the development of drivers and control oriented applications; design based on an independent and higher priority scheduler for the purpose of continuing execution after a Windows exception event; and support for single processor, multi-processor, workstation, and server versions of Windows NT, Windows NT Embedded, and Windows 2000. — J.M.
Who's who in real-time software
San Jose, Calif.
Green Hills Software
Santa Barbara, Calif.
San Jose, Calif.
Wind River Systems
The DO-178B certification trend may be causing a lot of discussion among major real-time operating system (RTOS) vendors but others, such as Eonic Systems, Real-Time Innovations, and FSM Labs, have new designs and products in the news.
Engineers at Eonic Systems in Santa Clara, Calif., recently unveiled their Virtuoso 4.2 Integrated Development Environment (IDE), for the design of multiprocessor embedded digital signal processor (DSP) networks, such as radar, sonar, and high-end image processing. The Virtuoso 4.2 IDE includes the Virtuoso 4.2 RTOS, a project manager, a new multi-threaded asynchronous network host server, and a suite of graphical analysis and debugging tools, as well as plug-ins to Texas Instrument's Code Composer Studio and analog Device's Visual DSP.
The newest version of the Virtuoso RTOS offers one processor programming style for multiprocessor systems, both CSP channel and multithreading multitasking capabilities, static memory allocation, target channels that enable data to be sent and received at different data rates without buffers, and distributed, shared or pooled memory architectures.
Real-Time Innovations experts in Sunnyvale, Calif., are providing their ScopeTools product suite to embedded software developers using Wind River Systems', new Tornado Tools 3 embedded development environment for the VxWorks AE RTOS. The ScopeTools are visualization tools for data monitoring, execution tracing, performance tuning, and memory analysis.
Experts at FSM Labs in Socorro, N.M., recently released the last pre-release upgrade to version 3.0 of their RTLinux RTOS. Highlights of the upgrade include bug fixes, HTML documentation, debugger for the PowerPC, and installation procedure changes. — J.M.