© 2006 Wind River

Standards, Choice and Flexibility for Aerospace and Defence Devices

SESAM 31st May 2006

Alex WilsonSenior Program ManagerAerospace and Defence

© 2006 Wind River

Agenda

• Who are Wind River?

• Trends and Standards lead to requirements

• How does a COTS OS meet these requirements ?

• What is the impact of Safety Certification ?

• What is the impact of Security Certification ?

© 2006 Wind River

What Our A&D Customers Do

Our customers make differentiated devices by focusing on intelligent, connected device software

© 2006 Wind River

What We Do: Device Software Optimization

Wind River enables companies to develop and run device software faster, better, at lower cost, and more reliably.

© 2006 Wind River

Established 1981, IPO in 1993FY06 Revenue $266 Million (+13%)

Wind River Overall

28% of Revenue is A&DLargest A&D COTS Market Share

Wind RiverAerospace & Defence

450 Engineers170 Support Engineers1200 Employees Worldwide

Wind RiverEngineering

Wind River Corporate Facts

© 2006 Wind River

What types of systems give us information?

Land Sea Air Space CommercialAviation

Abrams TankChallenger TankCHALS-XCIBADS IIFuchs SpürpanzerGIG-E ProgramJCAD JTRS MLRSPatriot Missile PDCUE TDOA SystemTHAAD MissileTRC 4000

AEGIS AN/AQS20/X Sonar A/N SQQ-89 ASW Astute Class Sub.Harpoon MissileMark 48 GMVLSMK41 5 inch gun NCSSSNAVMACSPhalanx – CIWSSGS SSDSTrident Missile Type 45 Destroyer

Apache HelicopterAWACSAirbus A400MB-1BB-2 B-52C-130 AMPEC-725 Helicopter Eurofighter TyphoonF-15 F-16 F-18 F-22 F35 (JSF)Global Hawk UAVTornadoUCAS-N (X-47B)

A2100 SatelliteEGNOSHOPE-X Space PlaneMars Rovers Mars OdysseyMars Recon Orbiter Mars Pathfinder Mars Recon Orbiter MTSAT-2 Satellite MUBLCOMM SatelliteNASA Space ShuttleNPOESS ORBCOMMPROBA SatelliteSBIRS SORCE SatelliteX38 Space Lifeboat

Airbus A318Airbus A319Airbus A320Airbus A340Airbus A380ATIDSBoeing 777Boeing 787 DreamlinerEC-225 HelicopterGlobalStar 2100VICTORIA ProgramWAAS

© 2006 Wind River

A&D (Force) Transformations in DSO

Foot Soldier

Manned Aircraft

Federated Systems

Proprietary Systems

Proprietary APIs

Standalone / Isolated

Old Way New Way

Robotic Device

Unmanned Aerial Devices

Integrated Modular

COTS Systems

Standard APIs

Networked / Connected

© 2006 Wind River

2040+ 94+ Years94+ YearsB-5219551946

Notional Projected Lifetime Extended Life

0 50 100Years

• Increasingly long lifecycles– How to update existing capabilities ?– How to overcome obstacles due to obsolescence ?

• Processor Architecture Migration– Increased supply cost of near-obsolete components– New technology introduction – MultiCore, FPGA, SoC?

• Software obsolescence and reuse– Emerging software standards – IPV6, ANSI C++, ARINC653– Host support – Windows 95, NT, 98, 2000, XP…..

• Safety and Security requirements

Aerospace & DefenceIndustry Characteristics

© 2006 Wind River

COTS and Open Standards

© 2006 Wind River

COTS Systems

Interoperability, Compatibility and Obsolescence Concerns:-– Is the Software API consistent across diverse Processor Architectures?– Can the vendor readily support multiple COTS targets?– Does the vendor provide consistency across Hosts and Targets?– Who handles Middleware integration?– Who handles Hardware/Software integration?

• Do Open Standards help?– POSIX– LINUX– ARINC 653– ANSI Language standards

DO-178B Glossary Entry: “Commercial off the shelf (COTS) software – Commercially available applications sold by vendors through public catalog listings. COTS software is not intended to be customized or enhanced. Contract-negotiated software developed for a specific application is not COTS software.”

© 2006 Wind River

POSIX® /pahz-icks/

• An acronym for Portable Operating System Interface• POSIX is a set of books specifying APIs

– It is neither a piece of code– Nor an operating system– It is a rich, proven API

• POSIX.1 is the full POSIX standard– Defined by IEEE Std 1003.1-2003– POSIX.1: 1123 routines (APIs)

• Profiles PSE51-PSE54 are subsets of POSIX.1– Defined by IEEE Std 1003.13-2003

Rat

iona

le

Syst

em In

terf

aces

Def

initi

ons

Com

man

ds

Its about portability– Both programmers and application source code– Portability of the OS kernel itself and/or application binary code are not objectives

© 2006 Wind River

LINUX

• LINUX overview– Full featured Unix – “mostly” POSIX compliant *– SMP capable– Linux is NOT hard real-time (non-deterministic, kernel non-

preemptable)– Generally requires more resources than COTS RTOS

• LSB – Linux Standard Base – Version 3.1 (Q2 2006)– http://freestandards.org/en/LSB– Application (I.e. Binary)– And Kernel– Draws on other standards such as POSIX

* See The Open Group document: POSIX and Linux Application Compatibility Design Rules by C. Douglass Locke

© 2006 Wind River

What is ARINC 653?

ARINC 653 is a application executive specification used for integrating avionics systems on modern aircraft

Federated System Integrated Modular Avionics

FlightManagement

Computer

FCC

ILS/MLSDME/ADF VOROMC

IRSGPS

CDU FQIS

EEC

FDR

MCP

ADC

IDS

CLOCK

© 2006 Wind River

Example: Boeing 787 Common Core

•Displays•Flight Management•Air Data•Navigation•Data Loading

•Common Core System•Health Management•Fuel Management

•Auxiliary Power Unit•Flight Data Recorder

•Landing Gear•Brakes•Steering

•Cabin pressure•Environmental Control•Hydraulics•Backup Electrical•Crew/Pax O2•Fire Protection•H2O/Lavs

Thrust Reversers

•Crew Alerting•Window Heat•Ground Proximity Warning System•Emergency lighting

~25 CCS Suppliers

© 2006 Wind River

ANSI Language Standards

• C, C++ ANSI Standards fairly common for all compilers– Exception with Visual C++– Some uptake of MISRA C subset– Move towards MISRA-like subset for C++

• Ada 2005 enhances standardisation of Ada– Ada still used heavily in Europe for Safety Related tasks

• JAVA Usage– Still increasing, some A&D Usage (Particularly RT JAVA)

© 2006 Wind River

Example of StandardisationSoftware Defined Radio

© 2006 Wind River

The Problem - Interoperability

• Northern Iraq: US Navy jets mistakenly attacked a Kurdish convoy led by US Special Operation Forces. Caused by a simple mix-up: the radios carried by the SOF were compatible only with USAF aircraft but not with US Navy jets which had attacked them!

• September 11: Hundreds of firefighters and police officers rushed into the World Trade Center. Helicopters circling overhead noticed the buildings starting to glow and relayed to incident commanders on the ground that the buildings may collapse. The police officers were given the order to evacuate --- all but 80 escaped. The firefighters never got the word --- 121 of them, most within striking distance of safety, never got the word

© 2006 Wind River

The Solution: Software Defined Radio

AN ENABLING TECHNOLOGY:Economies of ScaleInteroperabilityRemote Management Standardisation

“A software-defined radio (SDR) system is a radio communication system which uses software for the modulation and demodulation of radio signals”

…or more simply put, plug-and-play waveforms!

© 2006 Wind River

Software Communications Architecture

• Modeling tools and reference implementations

• Help developers build SCA-compliant waveforms

• Definition document

• Standards-based framework

• Defines how elements of hardware and software are to operate in harmony within the JTRS (load waveforms, run applications, and be networked into an integrated system)

CORBA

SCA Core Framework

Operating System

Hardware (GPP, FPGA, DSP)

Application Development Tools (IDE)

SCA Development Tools

IPv4/v6 Networking

SCA 2.2.1 Definition Document

• API and services to provide abstraction of underlying h/w and s/w

• FPGA’s – re-progammable for various waveforms

• DSP’s – intensive computations

© 2006 Wind River

Example of StandardisationNetwork Enabled Capability

© 2006 Wind River

Network Enabled Capability

• Concept of a NEC– A robust networked force improves information sharing– Information sharing enhances the quality of information and shared

situational awareness– Shared situational awareness

• enables collaboration and self-synchronisation• enhances sustainability• Increases speed of command

• Goal– Dramatic increase in mission effectiveness

• New and Emerging Philosophy of Warfare– Sensors and Systems– “Cyber” warfare

© 2006 Wind River

Technology requirements for NEC

• Interoperability to create a “Network of Networks”– Land/Sea/Air – Coalition forces– Use of unmanned vehicles (Watchkeeper, Neuron..)

• Interoperability requirement leads to standards• Requirement for vast numbers of interconnected devices

– IPv6 improvements– Security implications

• System security (secure operating system)• Data security (network security)

• Standardisation

© 2006 Wind River

Other Standards

© 2006 Wind River

IPv6 – an enabler for NEC

• Internet Protocol version 6 (IPv6) is a new version of the Internet Protocol (IP)– The successor to Internet Protocol version 4 (IPv4), the

foundation of the TCP/IP protocol suite• Supports the continued growth and advancement of the

Internet– Supports more directly-connected Internet nodes

• Allows the Internet to become a truly global network– Enables ubiquitous connectivity -- Home, car and personal

networks

© 2006 Wind River

Open Tools Environment - Eclipse

Eclipse 3.1 Open Tools Environment• Customizable, task oriented perspectives • Standards-based • Open and extensible

Project Compile Edit• Project templates for commonly required configurations• IDE managed or command-line defined builds• Choice of compilers and editors

Debugger Infrastructure• Common debug interface regardless of target connection• Built with differences between device HW and SW in mind

Test• Add on products to enable better device quality • Unit Tester –Unit and integration testing• Diagnostics – dynamic instrumentation on a running

system

One Common Cockpit for All Phases of Device Development, Debug and Test

"The FCS program sought a common software development environment that was an extensible, standards-based platform, to address a broad range of needs for its software development projects," said Paul Schoen, Director of Software for SoSCOE, FCS. "Based on these and other defined criteria, the historical evidence of Wind River Workbench's Eclipse foundation promises a significant increase in productivity due to its flexibility, ease-of-use and scalability."

© 2006 Wind River

Software Safety Certification

What impact does Safety have on systems?

© 2006 Wind River

What is Software Safety Certification?

An approval by an individual or a company that a set of software meets the safety standards set by an agency responsible for guaranteeing safety in a particular industry.

FAA – Federal Aviation Administration•RTCA DO-178B, RTCA DO-254, RTCA DO-278

EASA – Joint Aviation Authorities•EUROCAE ED-12B, EUROCAE ED-80

FDA – Food and Drug Administration•FDA 510(k)

TÜV - Technischer Überwachungs-Verein•IEC 61508, other IEC Standards

MoD – UK Ministry of Defense•DEF STAN 00-56

© 2006 Wind River

What is a Safety Certification Process?

1. Write down requirements for human review

2. Implement those requirements

3. Test to insure that all requirements are met

It is not creating “perfect code”

© 2006 Wind River

Required DO-178B Documentation

Plan for Software Aspects of Certification (PSAC)

Software Development Plan (SDP) Software Verification / Test Plan (SVP) Software Code StandardsSoftware Requirements StandardsSoftware Design StandardsSoftware Change HistorySoftware Problem Report HistorySoftware Quality Assurance (SQA) DataSoftware Design DescriptionSoftware Requirements SpecificationSoftware Verification Test Procedure

Software Test Plan (STP) Software Unit Test ProcedureSoftware Unit Test PlanSoftware Unit Test Report Software Integration Test ProcedureSoftware Integration Test Plan Software Integration Test ReportSource CodeTest Coverage ReportTest Results ReportSoftware Correlation / Trace MatrixVersion Description Document (VDD)Software Accomplishment Summary (SAS)

Average Cost of DO-178B Level A ~ $100 per line of code

© 2006 Wind River

The ARINC 653 Challenge

How can I …

• change 1 independent application

• configure an application’s resources

• (re) configure the health monitor

without re-certifying the entire system?

© 2006 Wind River

Replaceable Software Units

App 1 App 2 App 4App 3

Configuration Datafrom unqualified tool

Other ARINC 653Operating System

Configuration Data (partitions, ports, …) created by unqualified tool: must test and certify entire system as a whole, even for minor configuration change

Higher initial development time, higher certification cost, higher cost of change and re-certification

C compiler or otherunqualified tool

C compiler or otherunqualified tool

With PSC 2.1, XML-based configuration data, and qualified XML binary compiler: can test and, certify, and re-certify independent applications one by one

Result: Lower development time, lower initial cert cost, and lower cost-of change and re-certification

DO-178B QualifiedXML Compiler

DO-178B QualifiedXML Compiler

XML ConfigurationData

XML ConfigurationData

ConfigurationData

ConfigurationData

App 1App 1 App 2App 2 App 4App 4App 3App 3

Certify all together

Certify separately

Without Wind River

With Wind River

Binary

Configuration

Data

Binary

Configuration

Data

VxWorks

ARINC 653

VxWorks

ARINC 653

© 2006 Wind River

So, what does this all mean?

• DO-178B Costs around $100 per SLOC– VxWorks CERT is 16,000 SLOC– VxWorks 653 CERT is 55,000 SLOC

• To reach Level A you need – MCDC Code Coverage– Deterministic Code

• Elimination of non-deterministic code conflicts with COTS goal– POSIX (1700+ APIs in full POSIX)– LINUX (Size and Determinism)– IPv6 (Dynamic allocation of network buffers)– SDR (Use of CORBA for plug-and-play waveforms)

© 2006 Wind River

Software Security Certification

What impact does Security have on systems?

© 2006 Wind River

World’s Fastest Security Overview

• Standard is the Common Criteria (CC), ISO 15408, accepted in North America, Europe, Israel, and Australia/NZ.

• The CC is mostly a repertoire of requirements at various levels of robustness.

• Requirements are divided into Functional (what a product does) and Assurance (how much trust we have in what it does)

• Evaluation is done at levels (EAL) 1 (low) - 7 (high). • EAL1 - 4 are recognized internationally. EAL5+ are not.• When you pass you get a Certificate and can use the CC Mutual

Recognition Trademark.– Similar to UL.

• Maintenance of Assurance is significant.

© 2006 Wind River

Evaluation Assurance Levels (EALs)

Evaluation Assurance Levels & a (rough) Backward Compatibility Comparison to TCSEC*

*TCSEC - Trusted Computer Security Evaluation Criteria - the “Orange Book”

A1Formally Verified Design & TestedEAL 7

B3Semiformally Verified Design & TestedEAL 6

B2Semiformally Designed & TestedEAL 5

B1Methodically Designed, Tested & ReviewedEAL 4

C2Methodically Tested & CheckedEAL 3

C1Structurally TestedEAL 2

Functionally TestedEAL 1

TSECNameEAL

© 2006 Wind River

The MILS Architecture

ProcessorProcessor

RTOS Micro Kernel (MILS Separation Kernel)

Supervisor ModeMMU, Inter PartitionCommunicationsInterrupts

RTOS Micro Kernel (MILS Separation Kernel)RTOS Micro Kernel (MILS Separation Kernel)

Supervisor ModeMMU, Inter PartitionCommunicationsInterrupts

Application (User Mode) Partitions

RT CORBADDS

Guest OS /Run-TimeLibraries

S

(SL)

RT CORBADDS

MinimumRun-Time

Library

S, TS

(MLS)

RT CORBADDS

Guest OS /Run-TimeLibraries

TS

(SL)

NetworkInterface

Unit

(MSL)

NetworkInterface

Unit

(MSL)

Trusted PathPCS

(MLS)

File Sys.

Driver

(MSL)

File Sys.

Driver

(MSL)

DisplayManager

(MSL)

TokenServiceDriver

(MSL)

MILS - Multiple IndependentLevels of Security

MSL - Multi Single LevelMLS - Multi Level SecureSL - Single LevelCORBA - Client / ServerDDS - Publish / Subscribe

MILS - Multiple IndependentLevels of Security

MSL - Multi Single LevelMLS - Multi Level SecureSL - Single LevelCORBA - Client / ServerDDS - Publish / Subscribe

Source: Mark Vanfleet, NSA

© 2006 Wind River

NSA Estimated Life Cycle Costs for Security

• Formal Methods $$$– Est. $1000 per SLOC

• Reduced MILS Kernel– <5000 SLOC

• COTS Secure RTOS still $5M+

• Not just a software problem

$13 Million

$6.6 Million

$5 Million

$100,000 per year or

$1 Million

$600,000

$0

COTSSolution

~ $80 MillionCost for 5 DoD programs

~ $16+ MillionTotal 10 year Program Costs

Unknown, estimate$5 Million

Security Certification Costs

$????Program borne through life cycle

Annual Maintenance(10 year)

$0Runtime licenses (3000 units)

$9 MillionDevelopmentCosts (10 years)

ProprietarySolution

Individual Program Costs

© 2006 Wind River

How does COTS Software follow these standards?

© 2006 Wind River

General Purpose Platforms• Wind River Workbench

– Eclipse-based development suite– Complete lifecycle development– Cross-build system

• Wind River Distribution– Industrial-grade– Tested, validated, supported, and

maintained– Carrier Grade Linux or VxWorks 6.2– Networking and security packages

• Integrated Partner Ecosystem– Software

• Advanced networking• Database

– Hardware• COTS ATCA and CPCI boards• Development and reference boards

• DO-178B Level A Certification for VxWorks 6.x in 2007

Standards-based Middleware

Integrated Partner Software

Linux Kernel 2.6 / VxWorks 6.2

Integrated Partner Hardware

Integrated Development Suite

Plus Global Services and Support

© 2006 Wind River

COTS Solution for SDR(Based on General Purpose Platform 3.2 for VxWorks and Linux)

Objective Interface Systems (OIS) ORBexpress (CORBA)

Communications Research Centre (CRC)Core Framework

VxWorks 6.2

Hardware Partners

WorkbenchEclipse Framework

CRC SCARI++

Linux

IPv4/v6 Networking

• Eclipse• Boeing Standard for FCS• Common Framework

• IPv6 Gold Logo • Interpeak for MILS/DO-178B

• Scalable• Certifiable (DO-178B)• Power Management • POSIX conformant

• Pristine 2.6.10 (kernel.org)• Transparent build process• Thorough testing & validation • Global services and support

Global Services and Support

© 2006 Wind River

Enabling Technologies: multi-core

Application/real-time partitioningUpgrades

IP protection and re-useSecurity partitioning

Merging of legacy systemsAlgorithm offload

© 2006 Wind River

Platform Safety CriticalVxWorks ARINC 653

Integrated Partner Software

Wind River Workbench

VxWorks 653

Hardware Support (PowerPC)

Support, Training, Professional Services

Workbench DevelopmentSuite• Eclipse Framework• Support for multiple OSes

• VxWorks 653, VxWorks 6• Linux, ThreadX

• Editor, complier, debugger• C, C++, Ada*• On-chip debug support

• Analysis tools• System Viewer• Scope tools• Source code analyzer

* Partner product

DO-178B Certification ToolSuite – Cuts Cert Time, Cost• XML Configuration Suite

• DO-178B Level A qualifieddevelopment tool

• Schema submitted to ARINC 653 committee

• DO-178B qualified verification tools• Agent for Certification

Environment• Port monitor• CPU monitor• Memory monitor• Host shell command

VxWorks 653• Time and space partitioning

• Plus “slack=stealing” feature• Meets SC-200 IMA requirements

• ARINC 653 compliance, including• Health Management• Fast cold/warm restart

(2 sec / 100 millisecond typical)• Multiple partition OS with support for:

• ARINC 653 API• VxWorks API subset• POSIX subset• Customer legacy OS possible• Slack time scheduling

• DO-178B Level A cert evidence

Integrated Partner Support• Certifiable ARINC 664 Stack• CORBA• OpenGL• ARINC 615A Data Loader

> 25 customers!> 25 customers!

© 2006 Wind River

VxWorks 653 Architecture

VxWorks 653 Application Executive(with ARINC 653 ports and time/space scheduler)

Board Support Package (BSP)

Hardware Board

ARINCApplication

VxWorksApplication

POSIXApplication

AdaApplication

ARINCAPI

User Mode

Kernel Mode

Partition OS Partition OS Partition OS Partition OS

POSIXAPI

VxWorksAPI

AdaAPI

© 2006 Wind River

DO-297 Supplier Separation / Security

XML TableEditor

Hardware Platform

DO-178B Qualified XML Compiler

PlatformProvider

XML TableEditor

System Integrator

XML ConfigFile

Binary Configuration Data

XML ConfigFile

XML TableEditor

XML Config File

XML Config File

XML TableEditor

XML Config File

Application Developers

XML TableEditor

© 2006 Wind River

Wind River Certification MaterialsCertification Evidence for RTCA DO-178B Level A:

– Platform for Safety Critical DO-178B– Platform for Safety Critical ARINC 653

These include:– All required DO-178B Level A documents– Documentation for requirements– High and low-level design– Source code– Test code– Reviews– All test results– Coverage Analysis at Level A (MCDC)

For VxWorks/Cert: 260 MBytes, 14,000 filesFor VxWorks 653: 1.9 GBytes, 55,000 files

© 2006 Wind River

Wind River MILS Platform

VxWorks MILS Separation Kernel (SK)

Board Support Package (BSP)

Hardware Board

Secure App # 1Level X

SecureApp #3Level Y

SecureApp #2Level X

SecureApp #4Level Z

Middleware

User Mode

Kernel Mode

Middle-ware

© 2006 Wind River

• Industrial-strength platform

• World-class development suite

• Tightly integrated partner ecosystem

• Standards participation

• Global Services and support

• 23 years of experience in device software innovation

Wind River in Aerospace and Defence

The Wind River DSO Solution

© 2006 Wind River

Thanks!

Question and AnswerSession

Question and AnswerSession

Alex WilsonA&D Field Operations

alex.wilson@windriver.com+44-1283-792001