© 2006 Wind River Standards, Choice and Flexibility for Aerospace and Defence Devices SESAM 31 st May 2006 Alex Wilson Senior Program Manager Aerospace and Defence
© 2006 Wind River
Standards, Choice and Flexibility for Aerospace and Defence Devices
SESAM 31st May 2006
Alex WilsonSenior Program ManagerAerospace and Defence
© 2006 Wind River
Agenda
• Who are Wind River?
• Trends and Standards lead to requirements
• How does a COTS OS meet these requirements ?
• What is the impact of Safety Certification ?
• What is the impact of Security Certification ?
© 2006 Wind River
What Our A&D Customers Do
Our customers make differentiated devices by focusing on intelligent, connected device software
© 2006 Wind River
What We Do: Device Software Optimization
Wind River enables companies to develop and run device software faster, better, at lower cost, and more reliably.
© 2006 Wind River
Established 1981, IPO in 1993FY06 Revenue $266 Million (+13%)
Wind River Overall
28% of Revenue is A&DLargest A&D COTS Market Share
Wind RiverAerospace & Defence
450 Engineers170 Support Engineers1200 Employees Worldwide
Wind RiverEngineering
Wind River Corporate Facts
© 2006 Wind River
What types of systems give us information?
Land Sea Air Space CommercialAviation
Abrams TankChallenger TankCHALS-XCIBADS IIFuchs SpürpanzerGIG-E ProgramJCAD JTRS MLRSPatriot Missile PDCUE TDOA SystemTHAAD MissileTRC 4000
AEGIS AN/AQS20/X Sonar A/N SQQ-89 ASW Astute Class Sub.Harpoon MissileMark 48 GMVLSMK41 5 inch gun NCSSSNAVMACSPhalanx – CIWSSGS SSDSTrident Missile Type 45 Destroyer
Apache HelicopterAWACSAirbus A400MB-1BB-2 B-52C-130 AMPEC-725 Helicopter Eurofighter TyphoonF-15 F-16 F-18 F-22 F35 (JSF)Global Hawk UAVTornadoUCAS-N (X-47B)
A2100 SatelliteEGNOSHOPE-X Space PlaneMars Rovers Mars OdysseyMars Recon Orbiter Mars Pathfinder Mars Recon Orbiter MTSAT-2 Satellite MUBLCOMM SatelliteNASA Space ShuttleNPOESS ORBCOMMPROBA SatelliteSBIRS SORCE SatelliteX38 Space Lifeboat
Airbus A318Airbus A319Airbus A320Airbus A340Airbus A380ATIDSBoeing 777Boeing 787 DreamlinerEC-225 HelicopterGlobalStar 2100VICTORIA ProgramWAAS
© 2006 Wind River
A&D (Force) Transformations in DSO
Foot Soldier
Manned Aircraft
Federated Systems
Proprietary Systems
Proprietary APIs
Standalone / Isolated
Old Way New Way
Robotic Device
Unmanned Aerial Devices
Integrated Modular
COTS Systems
Standard APIs
Networked / Connected
© 2006 Wind River
2040+ 94+ Years94+ YearsB-5219551946
Notional Projected Lifetime Extended Life
0 50 100Years
• Increasingly long lifecycles– How to update existing capabilities ?– How to overcome obstacles due to obsolescence ?
• Processor Architecture Migration– Increased supply cost of near-obsolete components– New technology introduction – MultiCore, FPGA, SoC?
• Software obsolescence and reuse– Emerging software standards – IPV6, ANSI C++, ARINC653– Host support – Windows 95, NT, 98, 2000, XP…..
• Safety and Security requirements
Aerospace & DefenceIndustry Characteristics
© 2006 Wind River
COTS and Open Standards
© 2006 Wind River
COTS Systems
Interoperability, Compatibility and Obsolescence Concerns:-– Is the Software API consistent across diverse Processor Architectures?– Can the vendor readily support multiple COTS targets?– Does the vendor provide consistency across Hosts and Targets?– Who handles Middleware integration?– Who handles Hardware/Software integration?
• Do Open Standards help?– POSIX– LINUX– ARINC 653– ANSI Language standards
DO-178B Glossary Entry: “Commercial off the shelf (COTS) software – Commercially available applications sold by vendors through public catalog listings. COTS software is not intended to be customized or enhanced. Contract-negotiated software developed for a specific application is not COTS software.”
© 2006 Wind River
POSIX® /pahz-icks/
• An acronym for Portable Operating System Interface• POSIX is a set of books specifying APIs
– It is neither a piece of code– Nor an operating system– It is a rich, proven API
• POSIX.1 is the full POSIX standard– Defined by IEEE Std 1003.1-2003– POSIX.1: 1123 routines (APIs)
• Profiles PSE51-PSE54 are subsets of POSIX.1– Defined by IEEE Std 1003.13-2003
Rat
iona
le
Syst
em In
terf
aces
Def
initi
ons
Com
man
ds
Its about portability– Both programmers and application source code– Portability of the OS kernel itself and/or application binary code are not objectives
© 2006 Wind River
LINUX
• LINUX overview– Full featured Unix – “mostly” POSIX compliant *– SMP capable– Linux is NOT hard real-time (non-deterministic, kernel non-
preemptable)– Generally requires more resources than COTS RTOS
• LSB – Linux Standard Base – Version 3.1 (Q2 2006)– http://freestandards.org/en/LSB– Application (I.e. Binary)– And Kernel– Draws on other standards such as POSIX
* See The Open Group document: POSIX and Linux Application Compatibility Design Rules by C. Douglass Locke
© 2006 Wind River
What is ARINC 653?
ARINC 653 is a application executive specification used for integrating avionics systems on modern aircraft
Federated System Integrated Modular Avionics
FlightManagement
Computer
FCC
ILS/MLSDME/ADF VOROMC
IRSGPS
CDU FQIS
EEC
FDR
MCP
ADC
IDS
CLOCK
© 2006 Wind River
Example: Boeing 787 Common Core
•Displays•Flight Management•Air Data•Navigation•Data Loading
•Common Core System•Health Management•Fuel Management
•Auxiliary Power Unit•Flight Data Recorder
•Landing Gear•Brakes•Steering
•Cabin pressure•Environmental Control•Hydraulics•Backup Electrical•Crew/Pax O2•Fire Protection•H2O/Lavs
Thrust Reversers
•Crew Alerting•Window Heat•Ground Proximity Warning System•Emergency lighting
~25 CCS Suppliers
© 2006 Wind River
ANSI Language Standards
• C, C++ ANSI Standards fairly common for all compilers– Exception with Visual C++– Some uptake of MISRA C subset– Move towards MISRA-like subset for C++
• Ada 2005 enhances standardisation of Ada– Ada still used heavily in Europe for Safety Related tasks
• JAVA Usage– Still increasing, some A&D Usage (Particularly RT JAVA)
© 2006 Wind River
Example of StandardisationSoftware Defined Radio
© 2006 Wind River
The Problem - Interoperability
• Northern Iraq: US Navy jets mistakenly attacked a Kurdish convoy led by US Special Operation Forces. Caused by a simple mix-up: the radios carried by the SOF were compatible only with USAF aircraft but not with US Navy jets which had attacked them!
• September 11: Hundreds of firefighters and police officers rushed into the World Trade Center. Helicopters circling overhead noticed the buildings starting to glow and relayed to incident commanders on the ground that the buildings may collapse. The police officers were given the order to evacuate --- all but 80 escaped. The firefighters never got the word --- 121 of them, most within striking distance of safety, never got the word
© 2006 Wind River
The Solution: Software Defined Radio
AN ENABLING TECHNOLOGY:Economies of ScaleInteroperabilityRemote Management Standardisation
“A software-defined radio (SDR) system is a radio communication system which uses software for the modulation and demodulation of radio signals”
…or more simply put, plug-and-play waveforms!
© 2006 Wind River
Software Communications Architecture
• Modeling tools and reference implementations
• Help developers build SCA-compliant waveforms
• Definition document
• Standards-based framework
• Defines how elements of hardware and software are to operate in harmony within the JTRS (load waveforms, run applications, and be networked into an integrated system)
CORBA
SCA Core Framework
Operating System
Hardware (GPP, FPGA, DSP)
Application Development Tools (IDE)
SCA Development Tools
IPv4/v6 Networking
SCA 2.2.1 Definition Document
• API and services to provide abstraction of underlying h/w and s/w
• FPGA’s – re-progammable for various waveforms
• DSP’s – intensive computations
© 2006 Wind River
Example of StandardisationNetwork Enabled Capability
© 2006 Wind River
Network Enabled Capability
• Concept of a NEC– A robust networked force improves information sharing– Information sharing enhances the quality of information and shared
situational awareness– Shared situational awareness
• enables collaboration and self-synchronisation• enhances sustainability• Increases speed of command
• Goal– Dramatic increase in mission effectiveness
• New and Emerging Philosophy of Warfare– Sensors and Systems– “Cyber” warfare
© 2006 Wind River
Technology requirements for NEC
• Interoperability to create a “Network of Networks”– Land/Sea/Air – Coalition forces– Use of unmanned vehicles (Watchkeeper, Neuron..)
• Interoperability requirement leads to standards• Requirement for vast numbers of interconnected devices
– IPv6 improvements– Security implications
• System security (secure operating system)• Data security (network security)
• Standardisation
© 2006 Wind River
Other Standards
© 2006 Wind River
IPv6 – an enabler for NEC
• Internet Protocol version 6 (IPv6) is a new version of the Internet Protocol (IP)– The successor to Internet Protocol version 4 (IPv4), the
foundation of the TCP/IP protocol suite• Supports the continued growth and advancement of the
Internet– Supports more directly-connected Internet nodes
• Allows the Internet to become a truly global network– Enables ubiquitous connectivity -- Home, car and personal
networks
© 2006 Wind River
Open Tools Environment - Eclipse
Eclipse 3.1 Open Tools Environment• Customizable, task oriented perspectives • Standards-based • Open and extensible
Project Compile Edit• Project templates for commonly required configurations• IDE managed or command-line defined builds• Choice of compilers and editors
Debugger Infrastructure• Common debug interface regardless of target connection• Built with differences between device HW and SW in mind
Test• Add on products to enable better device quality • Unit Tester –Unit and integration testing• Diagnostics – dynamic instrumentation on a running
system
One Common Cockpit for All Phases of Device Development, Debug and Test
"The FCS program sought a common software development environment that was an extensible, standards-based platform, to address a broad range of needs for its software development projects," said Paul Schoen, Director of Software for SoSCOE, FCS. "Based on these and other defined criteria, the historical evidence of Wind River Workbench's Eclipse foundation promises a significant increase in productivity due to its flexibility, ease-of-use and scalability."
© 2006 Wind River
Software Safety Certification
What impact does Safety have on systems?
© 2006 Wind River
What is Software Safety Certification?
An approval by an individual or a company that a set of software meets the safety standards set by an agency responsible for guaranteeing safety in a particular industry.
FAA – Federal Aviation Administration•RTCA DO-178B, RTCA DO-254, RTCA DO-278
EASA – Joint Aviation Authorities•EUROCAE ED-12B, EUROCAE ED-80
FDA – Food and Drug Administration•FDA 510(k)
TÜV - Technischer Überwachungs-Verein•IEC 61508, other IEC Standards
MoD – UK Ministry of Defense•DEF STAN 00-56
© 2006 Wind River
What is a Safety Certification Process?
1. Write down requirements for human review
2. Implement those requirements
3. Test to insure that all requirements are met
It is not creating “perfect code”
© 2006 Wind River
Required DO-178B Documentation
Plan for Software Aspects of Certification (PSAC)
Software Development Plan (SDP) Software Verification / Test Plan (SVP) Software Code StandardsSoftware Requirements StandardsSoftware Design StandardsSoftware Change HistorySoftware Problem Report HistorySoftware Quality Assurance (SQA) DataSoftware Design DescriptionSoftware Requirements SpecificationSoftware Verification Test Procedure
Software Test Plan (STP) Software Unit Test ProcedureSoftware Unit Test PlanSoftware Unit Test Report Software Integration Test ProcedureSoftware Integration Test Plan Software Integration Test ReportSource CodeTest Coverage ReportTest Results ReportSoftware Correlation / Trace MatrixVersion Description Document (VDD)Software Accomplishment Summary (SAS)
Average Cost of DO-178B Level A ~ $100 per line of code
© 2006 Wind River
The ARINC 653 Challenge
How can I …
• change 1 independent application
• configure an application’s resources
• (re) configure the health monitor
without re-certifying the entire system?
© 2006 Wind River
Replaceable Software Units
App 1 App 2 App 4App 3
Configuration Datafrom unqualified tool
Other ARINC 653Operating System
Configuration Data (partitions, ports, …) created by unqualified tool: must test and certify entire system as a whole, even for minor configuration change
Higher initial development time, higher certification cost, higher cost of change and re-certification
C compiler or otherunqualified tool
C compiler or otherunqualified tool
With PSC 2.1, XML-based configuration data, and qualified XML binary compiler: can test and, certify, and re-certify independent applications one by one
Result: Lower development time, lower initial cert cost, and lower cost-of change and re-certification
DO-178B QualifiedXML Compiler
DO-178B QualifiedXML Compiler
XML ConfigurationData
XML ConfigurationData
ConfigurationData
ConfigurationData
App 1App 1 App 2App 2 App 4App 4App 3App 3
Certify all together
Certify separately
Without Wind River
With Wind River
Binary
Configuration
Data
Binary
Configuration
Data
VxWorks
ARINC 653
VxWorks
ARINC 653
© 2006 Wind River
So, what does this all mean?
• DO-178B Costs around $100 per SLOC– VxWorks CERT is 16,000 SLOC– VxWorks 653 CERT is 55,000 SLOC
• To reach Level A you need – MCDC Code Coverage– Deterministic Code
• Elimination of non-deterministic code conflicts with COTS goal– POSIX (1700+ APIs in full POSIX)– LINUX (Size and Determinism)– IPv6 (Dynamic allocation of network buffers)– SDR (Use of CORBA for plug-and-play waveforms)
© 2006 Wind River
Software Security Certification
What impact does Security have on systems?
© 2006 Wind River
World’s Fastest Security Overview
• Standard is the Common Criteria (CC), ISO 15408, accepted in North America, Europe, Israel, and Australia/NZ.
• The CC is mostly a repertoire of requirements at various levels of robustness.
• Requirements are divided into Functional (what a product does) and Assurance (how much trust we have in what it does)
• Evaluation is done at levels (EAL) 1 (low) - 7 (high). • EAL1 - 4 are recognized internationally. EAL5+ are not.• When you pass you get a Certificate and can use the CC Mutual
Recognition Trademark.– Similar to UL.
• Maintenance of Assurance is significant.
© 2006 Wind River
Evaluation Assurance Levels (EALs)
Evaluation Assurance Levels & a (rough) Backward Compatibility Comparison to TCSEC*
*TCSEC - Trusted Computer Security Evaluation Criteria - the “Orange Book”
A1Formally Verified Design & TestedEAL 7
B3Semiformally Verified Design & TestedEAL 6
B2Semiformally Designed & TestedEAL 5
B1Methodically Designed, Tested & ReviewedEAL 4
C2Methodically Tested & CheckedEAL 3
C1Structurally TestedEAL 2
Functionally TestedEAL 1
TSECNameEAL
© 2006 Wind River
The MILS Architecture
ProcessorProcessor
RTOS Micro Kernel (MILS Separation Kernel)
Supervisor ModeMMU, Inter PartitionCommunicationsInterrupts
RTOS Micro Kernel (MILS Separation Kernel)RTOS Micro Kernel (MILS Separation Kernel)
Supervisor ModeMMU, Inter PartitionCommunicationsInterrupts
Application (User Mode) Partitions
RT CORBADDS
Guest OS /Run-TimeLibraries
S
(SL)
RT CORBADDS
MinimumRun-Time
Library
S, TS
(MLS)
RT CORBADDS
Guest OS /Run-TimeLibraries
TS
(SL)
NetworkInterface
Unit
(MSL)
NetworkInterface
Unit
(MSL)
Trusted PathPCS
(MLS)
File Sys.
Driver
(MSL)
File Sys.
Driver
(MSL)
DisplayManager
(MSL)
TokenServiceDriver
(MSL)
MILS - Multiple IndependentLevels of Security
MSL - Multi Single LevelMLS - Multi Level SecureSL - Single LevelCORBA - Client / ServerDDS - Publish / Subscribe
MILS - Multiple IndependentLevels of Security
MSL - Multi Single LevelMLS - Multi Level SecureSL - Single LevelCORBA - Client / ServerDDS - Publish / Subscribe
Source: Mark Vanfleet, NSA
© 2006 Wind River
NSA Estimated Life Cycle Costs for Security
• Formal Methods $$$– Est. $1000 per SLOC
• Reduced MILS Kernel– <5000 SLOC
• COTS Secure RTOS still $5M+
• Not just a software problem
$13 Million
$6.6 Million
$5 Million
$100,000 per year or
$1 Million
$600,000
$0
COTSSolution
~ $80 MillionCost for 5 DoD programs
~ $16+ MillionTotal 10 year Program Costs
Unknown, estimate$5 Million
Security Certification Costs
$????Program borne through life cycle
Annual Maintenance(10 year)
$0Runtime licenses (3000 units)
$9 MillionDevelopmentCosts (10 years)
ProprietarySolution
Individual Program Costs
© 2006 Wind River
How does COTS Software follow these standards?
© 2006 Wind River
General Purpose Platforms• Wind River Workbench
– Eclipse-based development suite– Complete lifecycle development– Cross-build system
• Wind River Distribution– Industrial-grade– Tested, validated, supported, and
maintained– Carrier Grade Linux or VxWorks 6.2– Networking and security packages
• Integrated Partner Ecosystem– Software
• Advanced networking• Database
– Hardware• COTS ATCA and CPCI boards• Development and reference boards
• DO-178B Level A Certification for VxWorks 6.x in 2007
Standards-based Middleware
Integrated Partner Software
Linux Kernel 2.6 / VxWorks 6.2
Integrated Partner Hardware
Integrated Development Suite
Plus Global Services and Support
© 2006 Wind River
COTS Solution for SDR(Based on General Purpose Platform 3.2 for VxWorks and Linux)
Objective Interface Systems (OIS) ORBexpress (CORBA)
Communications Research Centre (CRC)Core Framework
VxWorks 6.2
Hardware Partners
WorkbenchEclipse Framework
CRC SCARI++
Linux
IPv4/v6 Networking
• Eclipse• Boeing Standard for FCS• Common Framework
• IPv6 Gold Logo • Interpeak for MILS/DO-178B
• Scalable• Certifiable (DO-178B)• Power Management • POSIX conformant
• Pristine 2.6.10 (kernel.org)• Transparent build process• Thorough testing & validation • Global services and support
Global Services and Support
© 2006 Wind River
Enabling Technologies: multi-core
Application/real-time partitioningUpgrades
IP protection and re-useSecurity partitioning
Merging of legacy systemsAlgorithm offload
© 2006 Wind River
Platform Safety CriticalVxWorks ARINC 653
Integrated Partner Software
Wind River Workbench
VxWorks 653
Hardware Support (PowerPC)
Support, Training, Professional Services
Workbench DevelopmentSuite• Eclipse Framework• Support for multiple OSes
• VxWorks 653, VxWorks 6• Linux, ThreadX
• Editor, complier, debugger• C, C++, Ada*• On-chip debug support
• Analysis tools• System Viewer• Scope tools• Source code analyzer
* Partner product
DO-178B Certification ToolSuite – Cuts Cert Time, Cost• XML Configuration Suite
• DO-178B Level A qualifieddevelopment tool
• Schema submitted to ARINC 653 committee
• DO-178B qualified verification tools• Agent for Certification
Environment• Port monitor• CPU monitor• Memory monitor• Host shell command
VxWorks 653• Time and space partitioning
• Plus “slack=stealing” feature• Meets SC-200 IMA requirements
• ARINC 653 compliance, including• Health Management• Fast cold/warm restart
(2 sec / 100 millisecond typical)• Multiple partition OS with support for:
• ARINC 653 API• VxWorks API subset• POSIX subset• Customer legacy OS possible• Slack time scheduling
• DO-178B Level A cert evidence
Integrated Partner Support• Certifiable ARINC 664 Stack• CORBA• OpenGL• ARINC 615A Data Loader
> 25 customers!> 25 customers!
© 2006 Wind River
VxWorks 653 Architecture
VxWorks 653 Application Executive(with ARINC 653 ports and time/space scheduler)
Board Support Package (BSP)
Hardware Board
ARINCApplication
VxWorksApplication
POSIXApplication
AdaApplication
ARINCAPI
User Mode
Kernel Mode
Partition OS Partition OS Partition OS Partition OS
POSIXAPI
VxWorksAPI
AdaAPI
© 2006 Wind River
DO-297 Supplier Separation / Security
XML TableEditor
Hardware Platform
DO-178B Qualified XML Compiler
PlatformProvider
XML TableEditor
System Integrator
XML ConfigFile
Binary Configuration Data
XML ConfigFile
XML TableEditor
XML Config File
XML Config File
XML TableEditor
XML Config File
Application Developers
XML TableEditor
© 2006 Wind River
Wind River Certification MaterialsCertification Evidence for RTCA DO-178B Level A:
– Platform for Safety Critical DO-178B– Platform for Safety Critical ARINC 653
These include:– All required DO-178B Level A documents– Documentation for requirements– High and low-level design– Source code– Test code– Reviews– All test results– Coverage Analysis at Level A (MCDC)
For VxWorks/Cert: 260 MBytes, 14,000 filesFor VxWorks 653: 1.9 GBytes, 55,000 files
© 2006 Wind River
Wind River MILS Platform
VxWorks MILS Separation Kernel (SK)
Board Support Package (BSP)
Hardware Board
Secure App # 1Level X
SecureApp #3Level Y
SecureApp #2Level X
SecureApp #4Level Z
Middleware
User Mode
Kernel Mode
Middle-ware
© 2006 Wind River
• Industrial-strength platform
• World-class development suite
• Tightly integrated partner ecosystem
• Standards participation
• Global Services and support
• 23 years of experience in device software innovation
Wind River in Aerospace and Defence
The Wind River DSO Solution
© 2006 Wind River
Thanks!
Question and AnswerSession
Question and AnswerSession
Alex WilsonA&D Field Operations
[email protected]+44-1283-792001