[Special Report]

AVIONICSmagazine

AVIONICS®

magazine

Real-Time Operating SystemsReal-Time Operating SystemsVersatility Plus SecurityVersatility Plus Security

Avionics Magazine 3

The operating system is a computer’s coresoftware. It manages all of the computer’sother software programs. Everyone is famil-iar with PC operating systems. They arelarge, feature-rich and prone to crash when

overstressed. But a PC typically works in a home oroffice environment. If the system slows to a crawl or

occasionally crashes and must be rebooted, it is irri-tating but no catastrophe.

But computers flying airplanes or releasingweapons have to be extremely reliable. At the soft-ware level, this calls for government-approved andstandards-based real-time operating systems(RTOSes). RTOSes are employed widely, not just inthe military/aerospace sector, but across the board inmust-not-fail telecom, medical and automotiveequipment.

For many years individual companies developedtheir own operating systems, which were used intheir own products. “Proprietary” operating systems,optimized for particular applications, are still beingdeveloped and used today. But increasingly, systemsdevelopers are looking for commercial solutions thatare created, maintained and supported by informa-tion technology specialists, freeing higher-leveldesigners to focus on the applications instead.

The demand for commercially supported soft-ware RTOSes and tools is substantial and growing. In2002, the worldwide market for commercial RTOSesand associated software tools, exclusive of mainte-nance and consulting work, was $675 million. Themarket is expected to grow to $914 million in 2007,according to the analyst group Gartner Dataquest.

Unlike a desktop operating system, an RTOS isfar smaller in size, more modular in structure andfocused on the most essential functions, explainsDaya Nadamuni, principal analyst with GartnerDataquest. There is no need for an RTOS to includeprogramming interfaces to the hundreds of popular

software packages that desktop operating systemsmust provide.

In “hard” real-time applications, such as aero-space, the RTOS must be particularly compact. Thecore, or kernel, may feature only essential functionssuch as memory management and time schedulersupport. It must respond to requests for service with-in guaranteed time windows, often measured in mil-lionths of a second. “Hard freezes are not acceptablein embedded operating systems,” Nadamuni says.

“ Hard freezes are not acceptable in

embedded operating systems.”

Inside:

RTOSes’ Multiple Applications ..................................................................4

Certification: Gold Standard ....................................................................8

New Approach to Security ....................................................................12

From Proprietary to COTS ....................................................................14

For long-term success in the government market, real-timeoperating systems need to be versatile, safe, secure andsupportable.

Real-Time Operating Systems

Key COTS RTOS Attributes:➤ Versatility—applicable to multiple systems; ➤ Safety—compliant to the DO-178B standard;➤ Security—able to separate multiple levels of

data; and➤ Supportability—maintained and enhanced by

specialist companies.

Real-time operating systems (RTOSes) play a crucialrole in avionics computers across the spectrum ofaviation—from small, private aircraft to the mostadvanced airliners and military jets. This complexsoftware controls the running of safety-critical func-

tions that keep airplanes aloft, guide them along their intendedflight paths and “paint” the cockpit displays. For military aircraft,the software also manages mission-critical functions like evadingattack and releasing weapons.

Speed and PredictabilityA key feature of an RTOS is its ability to meet tight processingdeadlines. An application program controlling the release of aweapon may require an action from the operating system in lessthan one-thousandth of a second. The deadlines for servicingflight control functions are measured in millionths of a second.The operating system must perform predictably, with guaranteedresponse times, in this “hard” real-time environment, despite thefrequent occurrence of unscheduled demands for services.

Notwithstanding the trend toward greater integration of avion-ics functions, most aircraft still contain many different comput-ers, provided with different operating systems. The next-genera-tion Airbus 380 super jumbo airliner, for example, will use at leastfour companies’ RTOS products, and probably more. Even a sin-gle computer—such as the mission computer planned for the U.S.

4 Avionics Magazine

Commercial real-

time operating

systems are proving

their value across

a wide range of

aircraft types and

avionics systems.

Commercial RTOSes’Broad AppealA c r u c i a l r o l e a c r o s s

t h e a v i a t i o n s p e c t r u m

military’s new Joint Strike Fighter—canhost more than one “embedded” RTOS.

RTOS ExamplesOver the past decade the U.S. governmenthas stressed the use of commercial off-the-shelf (COTS) technologies in order to con-trol costs and simplify logistics. Commer-cial technologies, the thinking goes, havebeen employed and tested by more usersacross a wider range of industries than havetheir “proprietary” counterparts. Commer-cial real-time operating systems haveproved themselves in various industries andare being adopted by avionics manufactur-ers as well. Among the key suppliers ofCOTS RTOSes are Green Hills Software,LynuxWorks and Wind River Systems.Green Hills Software’s INTEGRITY-178Band INTEGRITY RTOSes are being usedor designed into military bombers, fightersand unmanned air vehicles, as well as civil-ian helicopters and airliners.

INTEGRITY-178B is a fairly new com-mercial RTOS, an evolution of the originalINTEGRITY product released in 1997.Introduced in 2000, INTEGRITY-178B isone of the first commercial products tocomply with a standardized approach topartitioning. This key feature enables theRTOS to safely orchestrate the demands ofmultiple application programs sharing asingle set of hardware resources. Partition-ing involves dividing processing tasks intime and in space so that the programs cancoexist safely on a single computer. ARINC653 is the specification that standardizespartitioning for aerospace RTOSes.

The U.S. Air Force’s B-1B programadopted the original INTEGRITY RTOS in1997 as part of a project to convert thebomber from a nuclear to a conventionalwarfighting role. The B-1B prime contrac-tor, Boeing, may move to newer versions ofthe Green Hills operating system in a fur-ther avionics upgrade. Lockheed Martin’snew F-16E/F, Block 60, fighter aircraft usesINTEGRITY to power its mission and dis-play computers as part of a move towards

commonal i ty of sof tware tools andresources within the company. And Siko-rsky’s new medium-lift helicopter, the S-92,uses INTEGRITY-178B as part of itsAvionics Management System (AMS).

B-1B LancerAs part of the B-1B’s conversion to a con-ventional role, Boeing replaced the sixAvionics Flight Software (AFS) computersresponsible for flight control, cockpit dis-plays, terrain following, radar control, navi-gation, self-defense management andweapons delivery. Faster hardware andmore sophisticated software allowed all ofthe applications programs to be run in asmaller “footprint” on the aircraft. At thistime Boeing also adopted the INTEGRITYRTOS as part of a move to commercialtechnology.

The software applications describedabove reside in two active computers. Twoadditional computersserve as backup. The firstc o m p u t e r h o s t s t h eflight-critical, terrain-following applicationscode. The remainingapplications reside in onecard in the second com-puter. Both computersa n d t h e i r b a c k u p sinclude a second proces-sor card to al low forfuture enhancements.

Because of key, real-time interaction betweenthe B-1B software appli-cat ions—required toensure precision weapondel ivery and cr i t ica lflight controls—as wellas current applicationsstructuring, engineersnow must retest existing code when newsoftware is added. This is to assure thatexisting functions have not been changed,explains Nancy Anderson, Boeing’s B-1/B-2 senior site engineering manager.

AFS Partitioning PrototypeThe government has funded Boeing todevelop a proof-of-concept software parti-tioning architecture prototype that providesgreater protection against the effects ofchanges. One aim of the project is to showthat when changes are made the amount ofretesting can be reduced to support quick-reaction turnarounds.

Changes are anticipated for the B-1B, as

it adapts to priorities, such as “network-centric warfare” and new rules for flying incivil-controlled airspace. “But the immedi-ate need is to be an important and integralpart of the global warfighting network,”Anderson says.

The Global Air Traffic Management(GATM) program—for making militaryaircraft compliant with civil ATM rules—“requires navigation software to be DO-178B-certif ied,” Anderson notes. (DO-178B is the primary safety-software devel-opment standard used in both commercialand military aviation.) “Dividing the appli-cations and upgrading to INTEGRITY-178B will be one step along the way toensuring the B-1B meets GATM require-ments,” Anderson says.

The prototype effort involves somerestructuring of existing applications pro-grams to distribute and execute applica-tions on both cards in the computer. The

restructuring also will position future appli-cations to take advantage of operating sys-tem features, such as partitioning. In theprototype architecture the memory parti-tioning and memory access control provid-ed by the memory management unit(MMU) would be enforced by the commer-cial RTOS. “The beauty of partitioning isthat we can make modifications in one par-tition and not have to ‘regression-test’ theothers because partition protection is inplace,” explains Devron Hanks, Boeing’sB-1B AFS system architect.

In the prototype project, Boeing soft-ware engineers will “split up” the applica-tions software, Hanks says. Programmers,

Avionics Magazine 5

Green Hills RTOS Design-InsAirbus 380B-1BB-52F-16E/F, Block 60F/A-22F-35 Joint Strike FighterS-92

Green Hills RTOSes support processing for the panel displays and head-up display of the F-16E/F, Block 60.

6 Avionics Magazine

for example, will enforce strict and consis-tent interfaces between the applications.Modules need to be clearly separated andidentified so that the RTOS can enforcethe rules for their access to the micro-processor, memory, data buses and otherhardware resources.

The prototyping effort includes:➤ Verifying the time and space partition-

ing concepts and the available commu-nications protocols,

➤ Restructuring the applications softwareto execute on distributed cards and takeadvantage of partitioning,

➤ Defining which partitions need to talkto each other and how they talk to eachother, and

➤ Verifying the communications mediumbetween the applications—a VMEbackplane—and INTEGRITY-178Bpartition communication protocols. Safety-critical software—such as naviga-

tion and terrain following code—and select-ed pieces of the weapons code would remainon the second computer’s active card. Thiscode is the most expensive to retest in theevent of change. It is closest to the hardwareand has the tightest deadlines.

Although f inal software allocationbetween the cards remains to be deter-mined, Boeing plans to host display, self-defense management systems, missionplanning and some weapons functions onthe second card of the second computer.That still will leave about 60 percent of thecard’s resources available for new applica-tions. Full time and space partitioning willbe done on the second card, Hanks says.

F-16E/F, Block 60The newest version of the F-16 FightingFalcon, which Lockheed Martin developed

for the United Arab Emirates, incorporatesa new radar, integrated forward-lookinginfrared (FLIR) targeting system, electron-ic warfare suite, digital flight control sys-tem and high-speed, fiber optic data com-munications links. At the heart of these sys-tems is the advanced mission computer(AMC), which hosts multiple applications,or domains. Among them are weapons andfuel management, data formatting for thedata buses and fiber optic links, navigationand the head-up display (HUD).

Within the AMC, the INTEGRITYRTOS executes on multiple Motorola Pow-erPC processors. Each processor hostsmore than one software domain. The RTOShelps to protect the applications from eachother, allowing them to share the samehardware resources.

Lockheed also has developed Joint Soft-ware Execution Platform (JSEP) softwarewhich runs on top of the RTOS, insulatingthe applications programs from the hard-ware. Along with JSEP, the RTOS enforcespriorities for the execution of functions onthe microprocessor.

Application programs for the missioncomputer that have been carried over to thenew aircraft from the current, Block 50

version of the F-16 were basi-cally unchanged in the F-16E/F.These programs already hadbeen structured to take advan-tage of par t i t ioning. Theyrequired only to be convertedfrom Ada to the C++ program-ming language.

A second key computer, thecolor display suite (CDS),processes data for the F-16E/F’sthree, 5-by-7-inch color cockpitdisplays. The CDS also usesmultiple Motorola PowerPCprocessors, running an OpenGLserver on top of the INTEGRI-TY RTOS, for display process-ing and display generation. One

type of processor card, known as the gener-al-purpose processor, or GPP, hosts multi-ple software domains. The GPP, for exam-ple, controls the tactical display, the“upfront controls” for pilot interaction withradios and other avionics systems, and theweapons displays. It uses INTEGRITY toenable multiple applications to run safelyon the same hardware resources.

S-92 HelicopterINTEGRITY-178B also is used in theAvionics Management System developedby Rockwell Collins for Sikorsky’s new S-92 medium-lift helicopter. AMS not onlymanages and displays primary flight dataand navigation information, but alsoprocesses and displays flight management,digital map, weather radar, terrain warning,and engine indication and crew alert system(EICAS) information.

The S-92 cockpit features four Collins 6-by-8-inch, liquid crystal, multifunctionalflight displays. These include a primary flightdisplay and an EICAS/navigation display foreach pilot. A fifth display is optional.

The Collins display system, using theINTEGRITY RTOS, was approved to LevelA of the civil aviation safety standard, DO-178B, in 2002. Level A certification wasrequired for the Collins display systembecause it manages and displays primaryflight data, explains Tony Johnson, chiefarchitect for Collins’ Integrated Applica-tions business area. The aircraft receivedFederal Aviation Administration (FAA)type certification in December of 2002.

A version of the Collins avionics systemwill use the partitioning feature of theGreen Hills Software operating system tocreate three software partitions of varyingcriticality levels, says Johnson: Level A forflight display functions; Level C for sur-veillance functions, such as terrain aware-ness warning system (TAWS) and weatherradar; and Level D for maintenance and sta-tus functions.

Rockwell Collins’ AMS for the Sikorsky S-92 uses the INTEGRITY-178B RTOS.

The F-16E/F, Block 60, will feature new sensors,displays and high-speed fiber optic links.

Software developed for safety-critical systems onpassenger jets must pass a high level of scrutinyin order to ensure that it is safe to use for publictransport. More than the final lines of softwarecode must be carefully reviewed and certified.

So, too, must the processes involved in planning, developingand testing the software. Companies developing such soft-ware must show that they have met the requirements of thecommercial aviation standard, DO-178B, at all stages ofdevelopment—from planning through documentation andtesting. This standard is so well-accepted that governmentavionics projects increasingly require it as well.

Origins of DO-178B DO-178B was developed to address the certification needs ofemerging digital avionics systems. Certification agencies rec-ognized that they needed a standard to define software devel-opment processes that assure aircraft safety. These processesare designed to supersede the procedures used in previousdecades for analog equipment.

Most software installed in commercial aircraft—includingcommercial off-the-shelf (COTS) software—has been devel-oped using processes that comply with DO-178B. RTCA Inc.

8 Avionics Magazine

The commercial

standard dominates

in operating system

approvals, even in

military avionics. But

there’s more to DO-178B

compliance than one

would guess.

Av i oCertD O - 1 7 8 B ,

produced the standard, which is called“Software Considerations in AirborneSystems and Equipment Certif ication.”First published as DO-178 in 1982, it wasestablished to “develop and documentsoftware practices that would support thedevelopment of software-based airbornesystems and equipment.”

The standard has been revised twice—DO-178A, approved in 1985, and DO-178B,approved in 1992—to reflect advances insoftware technology and lessons learnedfrom earlier certifications. As directed by theFederal Aviation Administration (FAA),Advisory Circular 20-115B, DO-178B is anacceptable means to “secure FAA approvalof digital computer software.” Informationto purchase the standard is available atwww.rtca.org. In Europe the equivalent doc-ument is EUROCAE ED-12B which isavailable at www.eurocae.org. A jointRTCA/EUROCAE committee is expected tocommence work on a third revision to thestandard, DO-178C, in September 2005.

Recognizing that not all equipmentinstalled on an aircraft affects safety tothe same degree, RTCA incorporatedmultiple assurance levels in DO-178B.The non-prof it industry organizationunderstood that failures in, say, the flightcontrol system have much greater conse-quence than a failed seat-back passengerentertainment display. It took into accountthe equipment certification process whichrecognizes f ive failure condition cate-gories: catastrophic, hazardous/ severe-major, major, minor and no-effect. Thesec a t e g o r i e s a r e a p p l i e d a s p a r t o f the system-level safety assessment for the systems and equipment installed on aircraft.

Levels A Through EIn tandem with these failure conditions,DO-178B describes five software assur-ance levels—Level A through Level E—foraviation systems containing software. LevelA of DO-178B, for example, applies toequipment whose failure would be deemedcatastrophic. If an avionics system is classi-fied in the highest failure condition catego-ry, its software programs must meet thehighest assurance level. Exceptions canonly be made when there is a means for“partitioning” in which the operation of onesoftware program does not affect the opera-tion of another software program executing

on the same hardware. The number of DO-178B objectives that

must be satisfied rises from Level D toLevel A—with corresponding increases inthe certification effort required. (For LevelE, the lowest level of DO-178B, no objec-tives apply.) Level A requires compliance toall 66 DO-178B objectives which includesuch disciplines as planning, development,verification, configuration management,quality assurance, tool qualification and liai-son with certification authorities.

Unlike some other standards, DO-178B is not proscriptive. It doesn’t dictatewhat should be done or what precise dataformat should be used. Instead, DO-178Bis objective-based. It states the “objectivesfor software life-cycle processes” butallows individual developers to complywith the objectives. Software developerstherefore can employ whatever means areappropriate for their projects and companypractices. However, while degrees of com-pliance to other standards may be nego-tiable, compliance to the DO-178B objec-tives for a particular software level aremandatory.

Software Approval ProcessFAA won’t evaluate COTS software unlessthe software has been designed into anavionics system. The agency’s involvementwith a COTS supplier usually consists ofaudits of compliance to DO-178B objec-tives but may also include examination ofnovel product features such as partitioningor use of object-oriented constructs. Keysto achieving successful audits include first-hand knowledge of DO-178B, well-defineddevelopment processes, and a highly disci-

Avionics Magazine 9

n i c si f i cat iont h e G o l d S t a n d a r d

“ Unless an acceptable alternative is

proposed, compliance to DO-178B is

mandatory before FAA places its stamp of

approval on a product containing software.”

plined effort to follow the processes. The first step for any project involves

defining the fundamental processes for theproduct’s software development, verifica-tion, quality assurance and configurationmanagement. A document, called the “Planfor Software Aspects of Certification,” thenis created. This plan and the supportingplans and standards constitute the initialbuilding blocks for an audit.

Planning is followed by product devel-opment and verif ication. Developmentincludes the production of high-levelrequirements, low-level requirements,source code (the code in which a program iswritten), and corresponding traceabilitybetween these elements and the require-

ments for the system as a whole. These ver-ification activities are significant, goingbeyond traditional code reviews and test-ing. All development data, from planning totesting, is reviewed and analyzed. In addi-tion, all requirements, high- and low-level,are rigorously tested in both normal androbust test scenarios. FAA also examines thesource code structure, and additionalchanges and tests are made, until 100 per-cent of the source code structure is verified.

The development data and verificationresults are then summarized in a “SoftwareAccomplishment Summary.” With this doc-ument, along with the supporting certifica-tion evidence, the FAA enters the picture,auditing for compliance to DO-178B. Over-

all, thousands of pages of development andverification certification evidence are pro-duced and archived for each product.Unless an acceptable alternative is pro-posed, compliance to DO-178B is manda-tory before FAA places its stamp ofapproval on a product containing software.

Risk ReductionThe rigor of the DO-178B process isimportant when one considers the use ofthe term, “certif ied,” in regard to evi-dence. “Certified” should only be usedfor software already flying in certifiedsystems. The use of COTS productsalready embedded in FAA- or military-approved aircraft systems reduces the riskto a program’s development schedule.

Avionics developers can gain a leg up,as well, when integrating COTS softwaredeveloped for another industry or toanother industry’s standard interface,

such as the popular Internet standard,TCP/IP. This allows the developer to focuson core competencies. Better yet, if theCOTS software supplier can providereusable certification evidence for a prod-uct, the costs of the approval process willdecrease. COTS products that can be con-sidered for integration into avionics includeruntime libraries, real-time operating sys-tems (both partitioned and shared-addressspace), device drivers (such as Mil-Std-1553, Ethernet and Firewire), communica-tions stacks, f ile systems and objectresource brokers (ORBs). Manuals andbrochures for these products probably willindicate they have been certified or are cer-tifiable.

Developers may initially set the goal ofcompliance to a lower level of DO-178B toreduce development costs. However, suchan approach may lead to excessive reworklater on. The number of DO-178B objec-tives requiring independent activities—activities that can not be performed by thesame software engineer—increases witheach ascending software level. For a projectthat does not initially apply such indepen-dence, some activities may have to be rede-veloped to raise the product to the next soft-ware level. A well-developed plan shouldinclude considerations for potential futuresoftware levels in order to avoid redundantefforts.

Cost-Saving PartitioningAnother means to potentially reduce sys-tem development costs and schedules is toseparate the software into partitions, or vir-

10 Avionics Magazine

Green Hills Products at WorkGreen Hills Software completed DO-178B, Level A, l i fe-cycle data forINTEGRITY-178B in November 2002.This life-cycle data was used by RockwellCollins as part of the technical data sub-mitted for the technical standard order(TSO) of the Avionics Management Sys-tem (AMS), which is used on Sikorsky’snew S-92 helicopter. The Federal AviationAdministration (FAA) certified the S-92helicopter in December 2002.

ACSS, jointly owned by L-3 Commu-nications and Thales, completed a TSO forits Terrain and Traffic Collision AvoidanceSystem (T2CAS) in February 2003, usingINTEGRITY-178B and Green Hills DO-178B life-cycle data.

Green Hills Software’s INTEGRITY-178B is the first commercial RTOS withfull time and space partitioning to be usedin products certified to Level A of DO-178B for commercial aircraft.

Following these initial certifications,Green Hills Software has deliveredINTEGRITY-178B to other customerswho have used the product in computingplatforms for engine controllers, collisionavoidance systems, data concentrationunits, displays, inertial reference units andradio equipment.

To complement INTEGRITY-178B,Green Hills provides language supportlibraries with DO-178B, Level A, certifi-cation evidence for safe subsets of C, C++,and Ada95.

Software that could cause or contribute to the failure of the system, resulting in a catastrophic condition.

Software that could cause or contribute to the failure of the system, resulting in a hazardous or severe failurecondition.

Software that could cause or contribute to the failure of the system, resulting in a major failure condition.

Software that could cause or contribute to the failure of the system, resulting in a minor failure condition.

Software that could cause or contribute to the failure of the system, resulting in no effect on the system.

Level A

Level B

Level C

Level D

Level E

DO-178B Software Certification Levels

Avionics Magazine 11

tual applications. When applications arepartitioned, the faults occurring in one partition are prevented from:➤ Propagating into, and causing the fail-

ure of other partitions; and➤ Causing the partitioning mechanism

to fail. Processor designs have included virtual

applications support (e.g., memory man-agement units) for over 20 years. But theearly processors lacked sufficient through-put to support real-time operation for multi-ple applications simultaneously. Over theyears processor throughput has increasedand so, too, has the potential for real-timemultiprocessing. The basis for partitioningon a single processor was achieved by cou-pling today’s fast processors, memory man-

agement units, and asupporting real-timeoperating system.

Historically, avion-ics functions have beenseparated from eachother by hardware, in afederated architecture.The individual comput-e r s m ay eve n h aveincluded operating sys-tems that provided noprotection between theapplications. In otherwords, all applicationsshared the same address space. In a federat-ed system the software level applied to eachcomputing platform and all the softwarerunning on it adheres to the highest levelassigned from the safety assessment. This istrue even if the high failure condition cate-gory represents only a minor portion of thesoftware.

Now that avionics manufacturers caninclude partitioning operating systems intheir equipment, they can:➤ Use less hardware to provide the same

functions. System costs may be reducedwhile retaining, and potentially improv-ing, reliability.

➤ Isolate higher-criticality software fromlower-criticality software. Since lower“criticalities” require fewer DO-178Bobjectives, compliance for these appli-cations will require less effort.

➤ Isolate functions that change from pro-ject to project from functions thatremain stable. Since par ti t ioningimplies that the functions are isolatedfrom each other, retest efforts for thestable functions may be reduced.

➤ Isolate functions originating from dif-ferent suppliers, partners or develop-ment teams and maintain them as sepa-rate partitions during the integrationprocess. Thus, less rework may berequired to resolve integration issues.

Military aircraft programs are notrequired to comply with DO-178B, as are

commercial aircraft programs.Yet a contract or manufacturer may

require DO-178B compliance. Reasonsinclude:➤ The increasing substitution of “com-

mercial best practices” for military stan-dards, a trend that has gathered momen-tum since the early 1990s. DO-178B isconsidered to be the current best prac-tice for commercial aircraft softwarecertification.

➤ Military service requirements. Military

communication, navigation, surveil-l a n c e / a i r t r a f f i c m a n a g e m e n t(CNS/ATM) equipment covered by the Global Air Traff ic Management(GATM) program must comply withcivil airworthiness standards in order to be used in civi l ian-control led airspace.

➤ Dual-use (commercial/military) equip-ment requirement to comply with DO-178B for commercial applications.

➤ Wide technical support base for DO-178B, a published standard, with readilyavailable industry experts, consultantsand trained staff.

➤ And reusability of developed life-cycledata for other purposes (e.g., securityassurance standards). As more and more COTS products with

DO-178B compliance become available,one can expect their increased use in mili-tary aircraft.

“Certifiable” Partitioned RTOSesFour commercial vendors of real-timeoperating systems (RTOSes) have gener-ated or are in the process of generatingcertif ication evidence for their parti-tioned operating systems:

1. Green Hills Software, whose Level A,INTEGRITY-178B RTOS was acceptedfor approval in the Avionics ManagementSystem (AMS) of the Sikorsky S-92 heli-copter in November 2002.

2. LynuxWorks, which distributes,enhances and maintains a Level A operat-ing system originally developed by Rock-well Collins (from a prior version ofLynxOS), as LynxOS-178. Collinsachieved Level A approval in June 2003,using the RTOS as part of the adaptiveflight display system on the BombardierChallenger 300 business jet.

3. Wind River Systems, which introducedits AE653 product in October 2003.AE653 is planned to be Level A-approvedfor Smiths Aerospace equipment on theBoeing 767 Tanker Transport and the C-130 Avionics Modernization Program(AMP).

4. BAE Systems, which is providing itsCsLEOS RTOS for a planned, fly-by-wireflight control system upgrade to the Siko-rsky S-92. While all programs usingCsLEOS have DO-178B, Level A,requirements, the S-92 system will be theRTOS’s first commercial aircraft, Level Aapproval.

ACSS’s Terrain and Traffic Collision Avoidance Systemwas approved in 2003, using the INTEGRITY-178B RTOS.

“ Equipment covered by the Global AirTraffic Management (GATM) program mustcomply with civil airworthiness standards.”

12 Avionics Magazine

Real-time operating systems (RTOSes) aredesigned to perform reliably and predictably indemanding, safety-critical environments. ButU.S. government security experts now wantthese operating systems—with the aid of hard-

ware and software provisions—to enforce security “rules,” aswell. At the highest level of capability, the RTOS wouldsecurely separate the multiple levels of data that will be pre-sent in integrated avionics processors.

This “assurance” feature is important, as the militaryadapts to emerging priorities such as network-centric war-fare, which envisions the transmission of highly classifieddata between network nodes. The requirement to equip mili-tary airplanes with civil-compatible flight management andcommunications gear, in order to continue flying in civil-controlled airspace, makes the need to separate classified andunclassified data more urgent.

Over the last three decades, security experts have devel-oped concepts to allow the implementation of computingsystems that can protect sensitive data. The U.S. computer

GuardingSecrets

Government users

are demanding

not only reliability,

but also bulletproof

protection for

sensitive data.

C o m m e r c i a l R T O S e s O f f e r i n g S a f e t y a n d S e c u r i t y

security guideline, known as the “OrangeBook,” was first published in 1983. OrangeBook concepts, such as “security domains,”“trusted path” and “mandatory access con-trol,” continue to be applied in the CommonCriteria, the international security hand-book that replaced the U.S. document in thelate 1990s. The Common Criteria definesseven evaluation assurance levels, or EALs,corresponding to earlier Orange Book cate-gories. Systems that are approved to thehighest level, EAL-7, are expected to be“multilevel-secure”—able to separate threeor more levels of data while processingthem on shared hardware resources.

Early attempts to develop operating sys-tems providing the highest level of assur-ance floundered because the operating sys-tems were expected to do everything. In theprocess the software programs became toolarge and unwieldy to evaluate. These fail-ures sparked work on a new way to imple-ment long-held security concepts.

Called MILS, for Multiple IndependentLevels of Security, this new approach relieson a multilayered software architecture,backed by hardware devices such as themicroprocessor’s memory managementunit (MMU). The core software of theRTOS, known as the microkernel, isresponsible for enforcing a system’s securi-ty rules, or security policy. MILS also envi-sions single-purpose security applications,such as “guards,” security policy managersand encryption algorithms.

Several programs, such as the C-130avionics upgrade, the F/A-22 and the JointUnmanned Combat Air System, are consid-ering MILS. A program managed by Lock-heed Martin, with funding from the AirForce Research Lab (AFRL), has studiedthe feasibility and cost of using commercialRTOSes and middleware to separate multi-ple levels of data. Green Hills Software,with its INTEGRITY-178B RTOS, andLynuxWorks, with a planned LynxSecuremicrokernel, are participating in this pro-gram, along with Objective Interface Sys-tems (a middleware company), the NationalSecurity Agency (NSA), the Open Group (astandards body), Rockwell Collins and theUniversity of Idaho.

A second phase of the AFRL program isanticipated, which would test the two oper-ating systems to EAL-7. EAL-7-certifiedsystems are expected to be able to simulta-neously separate multiple levels of data—from top secret to unclassified—while pro-cessing the data on shared hardwareresources. Green Hills plans to achieveEAL-7 approval in 2005.

C-130 to GPS to JTRSMILS-compliant technology also isplanned for the U.S. Air Force’s C-130Avionics Modernization Program (AMP).RTOS supplier, Wind River Systems, isworking with Smiths Aerospace to providea MILS-compliant microkernel for Smiths’mission display processor on upgraded C-

130 aircraft. The target assurance level forthe new Wind River microkernel, AESe-cure, is also EAL-7, and the planned securi-ty certification date is in 2006.

NSA is briefing the MILS concept tomilitary officials. Agency presentationsmention not only the F/A-22, F-35 and C-130, but also the Global Positioning System(GPS) satellite navigation system and theJoint Tactical Radio System (JTRS), a foun-dation stone for network-centric warfare.

But a MILS development effort is farfrom simple. For starters, the microkernelmust be very small—from 4,000 to 10,000lines of code. The RTOS company writes adocument, explaining how its product com-plies with security requirements outlined ina “protection profile.” The RTOS protec-tion profile describes threats and vulnera-bilities that are to be guarded against, andassurances that are to be provided toachieve an appropriate security objective,such as EAL-7.

Another requirement for an EAL-7-approved RTOS is “covert channel” analy-sis, in order to prove that there are no hid-den pathways in hardware or software toallow unauthorized communications—anddata sharing—between applications. Appli-cations programs also must leave no data“residue” behind when the microprocessorswitches from one task to another. “Trust-ed” software also has stricter requirementsthan “non-secure” software for documenta-tion of life-cycle data, configuration man-agement and delivery.

Most important, an EAL-7 RTOS mustundergo an evaluation process known as“formal methods,” which involves provingmathematically that the kernel code per-forms its required security functions.

MILS can be built on top of the parti-tioning concepts defined in ARINC 653, acommercial aviation specification devel-oped by avionics industry experts. ARINC653 provides a standardized approach topartitioning so that applications with differ-ent levels of safety criticality can run at dif-ferent times on the same microprocessor,coexist safely in memory, and share otherhardware resources. The MILS conceptextends the idea of partitioning into thesecurity domain so that the microkernelassures the confidentiality, as well as theintegrity, of the data.

“Fifteen years ago, we could not havedone the MILS architecture,” says a gov-ernment security expert. But now the costof security is only one-half of 1 percent of amodern microprocessor’s capacity.

UnclassifiedApplication

Middleware

SecretApplication

Middleware

Top SecretApplication

Middleware

Real-Time Operating System Microkernel

Processor* MILS stands for Multiple Independent Levels of Security

Avionics Magazine 13

MILS* Architecture

14 Avionics Magazine

Over the past decade, the U.S. govern-ment has encouraged the move frommilitary-specific, or “proprietary,” tech-nology to commercial off-the-shelf(COTS) products in order to reduce

development and maintenance costs. Many aviationprograms have chosen COTS over traditional “roll-your-own” real-time operating systems (RTOSes).

A proprietary RTOS is built by a single manufac-turer and is used only in that company’s products.Commercial RTOSes, on the other hand, are avail-

able to other hardware manufacturers and have beentested by a wider range of users.

COTS products are available from multiple sup-pliers, which compete with each other to provide themost effective, reliable, supportable, yet flexible andadaptable systems. In the aviation industry the majorsuppliers are Green Hills Software, Wind River Sys-tems, BAE Systems and LynuxWorks.

“Roll-your-own made sense a long time ago,”says Jerry Krasner, founder of Embedded MarketForecasters. “But 32-bit [commercial technology] ischeaper, easier to use and better supported.” Use ofproprietary systems has decreased from 30 percent afew years ago to 20 percent today, Krasner says.

The commercial world has moved from propri-etary to COTS RTOSes in many applications. But themore conservative avionics world has been slower tochange. If a proprietary RTOS has been perfected for aparticular system, there may be no reason to change it.But where there are evolving requirements, a COTSRTOS may be the answer. Commercial RTOSes aremore easily enhanced without changing their basicpurpose, says Paul Zorfass, a senior analyst withIDC/FTI. Interfaces to extend an RTOS’s networkingcapability—through protocols such as TCP/IP—aremore easily added to commercial software.

Another driver for COTS RTOSes is long-termcost-effectiveness. Using this technology shifts the

burden of developing and supporting the key soft-ware from platform and application designers to theRTOS companies, which are dedicated to supporting,testing and enhancing the products.

Standards-BasedThe COTS RTOS market also is standards-driven, inorder to satisfy demands for flexibility in portingapplications and even substituting other RTOSes. Thesoftware is expected to conform rapidly to the latestversions of global standards, such as the PortableOperating System Interface for UNIX (POSIX), andto industry standards such as commercial aviation’sDO-178B software development spec and ARINC653 partitioning guidelines. Staff members at RTOScompanies must be familiar with research at universi-ties, agencies and industry organizations in order tokeep their products viable in the market.

Green Hills Software’s INTEGRITY RTOS con-forms to the latest POSIX standard, 2003 POSIX.1.INTEGRITY-178B, a more compact version of theRTOS, also has been approved to Level A of DO-178B. It is in the process of approval to evaluationassurance level-7 (EAL-7), the highest level of assur-ance for an operating system.

INTEGRITY is being designed into aircraft mis-sion computers, display systems and traffic/terrainwarning systems, as well as software-defined radios,a Space Station pad abort demonstrator, telecomequipment, process and industrial controllers, printersand even an Internet-connected oven. INTEGRITYsupports most common microprocessor families.

Manufacturers are turning to commercial real-time

operating systems. The reason: cost and efficiency.

From Proprietary to COTS

“ Commercial RTOSes are more easily en-hanced without changing their basic purpose.”

Key Standards and Architectures:➤ POSIX application programming interfaces,➤ DO-178B—commercial aviation software spec,➤ ARINC 653—commercial aviation partitioning

guideline, ➤ SCA 2.2 (software communications architec-

ture), for software-defined radios, and➤ Multiple Independent Levels of Security

(MILS), an architecture for multilevel-securesystems.