NextGen/SESAR ATM initiatives add to RTOS complexity but do not directly impact DO-178B RTOS certification

Dec. 2, 2010
Future air traffic management systems (ATMs) such as the Federal Aviation Administration's (FAA's)Next Generation Air Transportation System (NextGen) and Europe's SESAR (Single European Sky ATM) are creating many new avionics software applications, creating design challenges for designers of real-time operating systems (RTOSs) that host the new applications. However, DO-178B safety certification may not be the most difficult part.
Posted by John McHaleFuture air traffic management (ATM) systems such as the Federal Aviation Administration's Next Generation Air Transportation System (NextGen) and Europe's SESAR (Single European Sky ATM) are creating many new avionics software applications, creating design challenges for designers of real-time operating systems (RTOSs) that host the new applications. However, DO-178B safety certification may not be the most difficult part.NextGen will "transform our existing human, simple radio, and radar-based air traffic control system to a device-based system using a wide range of unmanned sensing and satellite-based communications systems, will enable both a wider use of our national airspace and a higher, more scalable level of safety that is not achievable with our current technology," says Chip Downing, senior director, business development, Aerospace & Defense Business Unit at Wind River Systems in Alameda, Calif.NextGen and SESAR will not have a direct impact on DO-178B RTOS certification, says Jacques Brygier, vice president of marketing at SYSGO in Mainz, Germany. Certification is already something the RTOS vendors do quite well and have been doing for some time, he continues. The challenge will be in implementing all the functionality from the new software applications in a partitioned system, Brygier says. For example an ARINC 653 system in the past may have had three or four applications running under it, now with NextGen and SESAR it might end up having as many as 40 or more, he adds. SYSGO's PikeOS RTOS is a partitioned system that will handle this transition well, Brygier says. PikeOS also is certified for DO-178B and for security, he adds. SYSGO is supplyiing the DO-178B certifiable PikeOS RTOS for the Loadmaster Control System on the A400M and assisting the development team in porting legacy code initially implemented for a former RTOS. The safe and secure multi-partitioning is necessary to manage the different levels of certification corresponding to the different applications running on top of PikeOS. These applications have a scope of functionality that goes from secure networking to safe support of graphical capabilities.Avionics complexity"The growing complexity of software is the main reason that has driven the avionics market to use commercial-off-the-shelf (COTS) RTOSs," says Gary Gilliland, business development, Safety Critical Systems at Lynuxworks in San Jose, Calif. "Years ago most RTOSs that were used were developed in-house, but as the need for more features and functionality in the RTOS was required it became necessary to look to COTS vendors for support."NextGen ATM systems will require more Level A certifiable software and hardware to be installed the aircraft," Gilliland continues. "Aircraft system integrators are looking for ways to add these features with the lowest possible cost.Gilliland says there are three possible ways to provide this functionality:design a completely new system (hardware and software) to add to the aircraft system; add a new single board computer with software to an existing system in an empty slot; oradd a new software partition to an existing system to combine the ATM system applications with other existing applications."Option 3 is the most cost effective solution if the existing system meets certain requirements -- assuming memory and CPU overhead is available, Gilliland says."Many of the existing 178 RTOSs have never been certified in a multi-level system or don't have the performance to run software of this complexity, but Lynuxworks' LynxOS-178 was designed to run multiple levels of software at the same time," Gilliland continues.DO-278"The tradeoff for this increased capability is extending the very successful DO-178B strategy proven with our airborne systems across all components in the system, including ground-based platforms," Wind River’s Downing says. "These ground-based systems will be subject to DO-278 certification requirements, a standard based upon DO-178B with extensions for enterprise systems, including high availability capabilities. This is good for all, for the proven quality of airborne platforms using DO-178B can now be extended to robust ground based systems, which should be able to offer far more capability and reliability over human and radar-based navigation systems."Downing says the DO-278 requirements will not be difficult. "RTCA DO-178B is now such a well-known standard on a global basis that the creation and certification of software to this standard, and its close relative, DO-278, for NextGen ATM systems should not be a high risk leap for any vendor in this program." "There are now a wide range of COTS certified software components ready for these systems, and, where COTS solutions do not exist, proven certification vendors like Verocel and HighRely can rapidly assist in getting additional components certified to the appropriate level of DO-278," Downing says. For federated systems Wind River has its proven VxWorks DO-178B Platform with COTS DO-178B Certification Evidence for all DO-178B/278 safety levels A thru D." For integrated modular avionics (IMA) platforms Wind River has its VxWorks 653 product, he adds. Also, new platforms, like VxWorks MILS and the Wind River Hypervisor that can isolate enterprise application platforms sucha s Linux and Windows, on mixed safety-criticality and security-sensitive platforms, Downing says. "When these products are coupled with our DO-178B/278 COTS Certification Evidence, certification at the OS level is greatly accelerated and has minimal risk." Green Hills Software in Santa Barbara, Calif., offers INTEGRITY-178B, a securely partitioned RTOS for safety critical applications containing multiple programs with different levels of safety criticality, all executing on a single processor, according to the Green Hills web site The Integrity RTOS flies on the F-35 Joint Strike Fighter and was selected for NASA's Orion Crew Exploration Vehicle. In addition to being certified for DO-178B the INTEGRITY RTOS has also been certified to the National Security Agency's (NSA')s common criteria evaluation assurance level (EAL) 6+, high robustness.

Voice your opinion!

To join the conversation, and become an exclusive member of Military Aerospace, create an account today!