Real-time operating system software steals spotlight, takes center stage in mil-aero electronics development
Technology Focus -- Real-time operating system software is more important today than it has ever been before, as systems designers depend on the RTOS to handle increasingly complex software structures and functionality, reliability, security, and more.
Pedigree, likewise, is essential, Day continues. Software engineers should ask: What programs have used the RTOS before? What was the success of the program? What is the maturity and code base of the RTOS?
Reliability -- proven through a large number of field deployments -- is an important consideration, says John Carbone, vice president of marketing at Express Logic Inc. in San Diego. “It demonstrates the RTOS’s ability to handle various requirements reliably, reducing risk.”
Proven success in meeting project schedules is another consideration, Carbone points out. “Studies are available showing the benefits of some RTOSs over others with regard to project completion on-time or ahead of schedule.”
“Every mil-aero customer I have talked to in the past five years has asked about DO-178 certification.”
Security and trust certainly also enter into mil-aero professionals’ decisions. “For mil-aero developers, the relationship with their RTOS vendor is more than just a supplier of software," Carbone says. "Many times, additional services or features are required, which involves a closer working relationship and trust with the RTOS provider.”
Security is a major factor for many new government programs, Day observes. “Security of network, security of information and data, and access controls and secure logins are now often specified as part of the functionality of the RTOS and its associated stacks. Separation kernels, partitioned operating systems, and secure operating systems are now being mandated for programs.”
“We have seen an evolution from federated architectures [single application, operating system, and hardware] to Integrated Modular Avionics (IMA) architectures [multiple applications, single CPU, and a time/space partitioned operating system] in the past 10 years,” admits Joe Wlad, senior director for aerospace and defense at Wind River, a wholly owned subsidiary of Intel Corp. in Alameda, Calif. Wind River’s VxWorks 653 is an IMA-based operating system being adopted for military systems and commercial aircraft.
Time and space partitioning is a key feature area, King agrees. Time partitioning guarantees that one piece of software enjoys a certain amount of time on the CPU, regardless of what other software is doing. Similarly, space partitioning guarantees that software in one partition cannot corrupt the memory of the software in another partition, he explains.
“You can imagine safety-critical software systems, in which partitioning is not present, might have one piece of software inadvertently or maliciously interfere with the correct operation of another piece of software and prevent it from doing its job,” King says. “In a worst-case scenario, it could cause the loss of the aircraft and the lives of those onboard.”
Reliability is the core issue. “Look at it as guaranteed execution and resource availability,” notes Greg Rose, vice president of marketing at DDC-I. “Another thing you get from time and space partitioning is the ability to run mixed-criticality applications. You can have some tasks executing at a higher level of importance and other tasks at lower levels of importance on the same box and still make sure things run. Deos has at its foundation time and space partitioning, guaranteed execution.”
Time and space partitioning have become increasingly important, King says. “For size, weight, and power (SWaP) reasons, avionics manufacturers were including more and increasingly complex functions; instead of having a new box on the aircraft every time they added something like that, they wanted to integrate different types of applications onto the same central processing unit (CPU).
“They can save SWaP with fewer boxes on the airplane, but with all these different pieces of software on the same CPU, we have a potential conflict where one piece of software might have an error, whether inadvertently or maliciously, and impacts the operation of other software. That’s where the time and space partitioning comes into play,” King adds.
“Maybe this really critical piece of software went through a very rigorous development verification process that may take a lot of time and be very costly,” King proposes, “and then I might have some non-critical piece of software that went through a much less rigorous process and it may have errors in it. Now I can safely mix them on the same CPU because the operating system, the RTOS underneath, guarantees with time and space partitioning that the lower-criticality piece of software that I have less confidence in cannot somehow affect the correct operation of the higher criticality piece of software.”
The latest RTOS technology from Green Hills Software in Santa Barbara, Calif., combines the benefits of partitioning and virtualization, and offers the ability to virtualize Microsoft Windows or Linux in safe and secure embedded systems. “Introducing Microsoft Windows or Linux, whose security is only certified to protect against casual and inadvertent attempts to breach the system security, into any mil-aero application is fraught with danger to both lives and national security,” says Dan O’Dowd, chief executive officer of Green Hills Software.
“The only way these operating systems can be made safe and secure is to virtualize them in a ‘padded cell’ whose safety and security is sufficient to protect classified and other high-valued information against sophisticated threat agents; i.e., SKPP EAL6+/High Robustness and RTCA DO-178B Level A,” O’Dowd explains. “Our Padded Cell virtualization technology is the only virtualization technology to offer the RTCA DO-178B Level A and SKPP EAL6+/High Robustness necessary to prevent Windows and Linux from harming the security and safety of the system.”
Although a feature-rich RTOS can be advantageous, “in general, it’s wise to avoid overkill,” Carbone says. “In other words, don’t select an RTOS with more bells and whistles than you need; it just adds complexity, complicates learning and using, slows down development, and often costs more. Instead, identify the technology that’s appropriate for the task at hand.”
“You want an operating system imposing as little overhead of its own as possible,” King says, “so that you leave as much CPU bandwidth as possible for the actual value-added software -- whether it’s a flight control system, ground proximity warning system, or whatever it might be. People are very sensitive to the performance of the operating system and there are wide differences in the commercial off-the-shelf (COTS) products out there in that regard.”
Consider how well the RTOS can respond to events, Day recommends. “Applications in the mil-aero industry often have to respond to many more events in a shorter time span than commercial systems, and the ramifications for not responding to events on time can be life-critical.”
Multi-core processors very often lend to performance gains, and RTOS vendors are infusing operating systems with technologies and capabilities to take advantage of multiple cores. “VxWorks 653 now supports multi-core architectures, which will enable future designers to add even more applications to a single hardware platform,” Wlad says. “Augmented with virtualization capability, our customers can add legacy applications based on Linux to an ARINC 653, DO-178C-certified environment. VxWorks technology supports open standards APIs, such as ARINC 653 and POSIX, and a wide variety of the industry’s latest multi-core architectures.”
“We’ve been tracking for some time the move to multi-core processors,” says DDC-I’s King, who is working to make the Deos operating system multi-core aware and multi-core capable. “From a safety-critical system developer point of view, those chips present some very interesting challenges -- in particular, regarding resource contention. I have software running on two cores competing for one memory subsystem -- there’s resource contention. While one core is accessing it, the other one has to wait.
“What happens if core-zero has it tied up and core-one needs access to some critical data value because it has a critical calculation going on? All of a sudden, I have to wait. That’s a bad thing,” King continues. “We’re bringing some unique, patented technology to bear that will address those challenges and allow our customers to leverage the full power afforded by these multi-core processors. Lacking that, you basically write software, run it on one core, and turn off all the other cores, so you’re getting rid of a significant amount of the processing power. We want to bring this new technology to bear so that you can leverage all that power.”
In mil-aero applications, safety and security are always paramount,” says O’Dowd. “Before considering an RTOS for any safety related application, you should check its safety and security certifications.
“The gold standard for safety certification is RTCA DO-178B Level A, required for flight critical software in aircraft. No RTCA DO-178B Level A software has ever been blamed for an aircraft fatality. Aircraft are the only software intensive products for which the software is the least likely cause of failure -- That is safe by anyone’s definition.”
DDC-I’s Rose also stresses the importance of an RTOS from a vendor with a proven history of safety-critical operation and certification, including DO-178B. The military community “is quite aware of DO-178B and starting to embrace it,” he says. “A lot of customers might not need full DO-178 certification today, but they can see the trend and the way things are going. They want to know that the RTOS they choose has those artifacts so that when they need them a year down the road, perhaps, they’re available and they won’t have to redesign their system.”
“It’s a trend we are seeing with almost every mil-aero customer,” King confirms. “Every mil-aero customer I have talked to in the past five years has asked about DO-178 certification.”
Certification of an RTOS can be crucial, in fact. “Many aerospace applications require DO-178B certification,” Carbone acknowledges, “so the RTOS you select should have already been certified by previous customers, should be available with full source code, and should be available with artifacts for your certification needs.”
“The most important operating system characteristics for our aerospace and defense customers are the ability to support safety requirements in RTCA DO-178B and DO-178C, and the inherent capability to support high Common Criteria security requirements for mission-critical systems,” Wlad describes.
“At the end of the day, these software vendors have to be able to certify their programs. They want a high degree of confidence that the operating system vendor is not going to introduce any risk into their certification. The ability to certify an operating system in military applications is becoming more important by the week; it is increasingly a big part of the decision on the military side.
Avionics software aside, the gold standard for security certification is Separation Kernel Protection Profile (SKPP) Evaluation Assurance Level (EAL) 6+/High Robustness, according to O’Dowd. “This standard states that it is appropriate to protect ‘classified and other high-valued information’ from ‘sophisticated threat agents’ -- That is secure by anyone’s definition,” he says. “On the other hand, Microsoft Windows and Linux are only certified to protect against ‘casual and inadvertent attempts to breach system security’ -- That is not secure by anyone’s definition. Any RTOS that can’t meet these high-level safety and security standards has no business being used in life-critical or national security-critical mil-aero applications.”
Real-time software companies
Green Hills Software
QNX Software Systems
Wind River Systems