The use of commercial_off-the-shelf (COTS) real-time operating system (OS) software in military avionics applications is fairly common. Less frequent is its use in civil avionics systems. But this is changing. COTS’ appeal is strong. Although the price can run into millions of dollars for a complex project, proponents say COTS cuts development costs and time to market, focusing engineering talent on applications development. Quality is maintained, they say, because the certification material is consistent for customers building different applications.
The dominant specification for civil avionics software developers is RTCA’s DO-178B, which discusses planning, development, verification, configuration management, quality assurance and certification. Developers must prove they meet its guidelines in order to put their software applications into boxes to be certified. The common practice now is to develop proprietary operating systems–broad-based operating system vendors have lacked a major presence. But now some mainstream real-time OS vendors are producing certification kits and offering subsets of their software that are certifiable to the spec.
Several factors are driving COTS operating systems vendors toward DO-178B:
Commercial aviation represents a new market opportunity for some firms, as more complex applications make the proprietary approach less attractive;
Some military programs require software developers to meet the more rigorous civil guidelines; and
Ground-based aviation software interacting with airborne systems also is coming under the DO-178B umbrella.
The proprietary approach "will become less common," predicts Jim Krodel, program element leader for aircraft information systems at United Technologies Research Center and co-chairman of the RTCA’s Special Committee 190 (SC-190), which has worked to clarify COTS and other issues in DO-178B. "As avionics systems become more and more complex, we now have a good case for these very thorough and robust [COTS] operating systems."
DO-178B defines a hierarchy of avionics software criticality, Levels A through E (see table). In the past year or two, "[COTS] operating systems companies have been trying to step up from lower-criticality to higher-criticality applications," Krodel says.
But proprietary software is the No. 1 approach in safety-critical applications across industries today, says Greg Gicca, worldwide director of product marketing for Aonix. "It has been difficult to use COTS software–it couldn’t meet DO-178B," says Jay Ficarro, deputy division manager with Innovative Systems Solutions, a unit of Ensco Inc., Endicott, N.Y. Certifiable COTS operating systems and tool kits "are just coming out now," he adds. Innovative Systems Solutions advises on the use of COTS OS software and the development of proprietary operating systems.
But acceptance of COTS software can still be a struggle, given traditional practice. "There is a ‘not invented here’ attitude amongst some people who actively campaign against the COTS philosophy," says Simon Collins, a product manager with UK-based Radstone Technology, a pioneer in COTS hardware. "There is a common misconception that COTS proponents are referring to … hardware and software which can be purchased at the local PC store.
"On this basis, it is argued that COTS can only be used in lower safety integrity level systems with appropriate ‘wrappers.’" (Wrapper software accompanies other software to improve compatibility or security.) "However, the weight of opinion in systems integrators is clearly shifting towards directing engineering activities into adding real value to the overall solution, rather than ‘reinventing the wheel,’" says Collins.
Aonix’s specialized C-Smart real-time OS kernel–the central core of the operating system–is certifiable to DO-178B, Level A, Gicca says. The software or a subset of it is found in the braking and steering control unit of Airbus 330s and 340s; the flight management, ground collision avoidance and display systems for the C-130J; and in the Global Positioning System (GPS), axle steering, power management and brake systems for the Boeing 777.
LynuxWorks Inc.’s LynxOS, meanwhile, has been certified to the European equivalent of DO-178B, Level C, for a Future Air Navigation System (FANS) element in Airbus 320s and 340s. The San Jose company began offering a DO-178B certification kit, along with its full OS kernel, about a year ago.
A major avionics manufacturer also is using the toolkit and augmenting it to get to Level A on a commercial avionics software project, says Mitchell Bunnell, LynuxWorks’ chief technology officer. LynxOS also is used in the Boeing 777 cabin management system.
Wind River Moves
Bunnell sees a growing interest in COTS on the civil side. Applications are getting bigger and more complex, he says. "The ability to roll your own operating system and meet all the requirements is getting harder."
Wind River Systems Inc., Alameda, Calif., began offering a DO-178B-certifiable subset of its VxWorks real-time operating system earlier this year. A toolkit that can be used to develop software applications certifiable to Level A has been available for about a year.
VxWorks today is found on B-2 bombers, Compass Call surveillance aircraft, and E-2C Hawkeye airborne early warning aircraft, says John Warther, Wind River national sales manager. The company is moving into DO-178B territory, as well. It has just begun a couple of Level C projects with a developer of backup cockpit displays for corporate and general aviation aircraft, says Joseph Wlad, Wind River’s DO-178B product manager. A ground-based Wide Area Augmentation System (WAAS) application, planned for certification to Level B, also is in the works, along with a Level B ground communications project for EGNOS, the equivalent European program. And a military helicopter project aiming at Level A has started with Eurocopter, using the new Wind River "cert kit."
"We had to create a certifiable subset of VxWorks," Wlad explains. "We removed object-oriented functions, routines that lead to memory fragmentation, and the networking features." The process was arduous because the goal was "to provide as much functionality as possible without creating a version of VxWorks that was not a true subset of the commercial version." In April and July 2001, Wind River and its subcontractor Verocel Inc. went through a Federal Aviation Administration (FAA) audit in support of WAAS. "The results were … that [FAA] had ‘no findings,’" which means "they foresee no barriers to eventual certification when the WAAS application is complete," Wlad explains.
Accelerated Technology Inc. (ATI), Mobile, Ala., in September 2001, also announced that its Nucleus real-time OS had "completed Level B certification."
Nevertheless, there will always be a place for custom approaches, Ficarro says. In a large multiboard software development project, for example, the COTS approach may become cost-prohibitive. "It boils down to cost and safety," he says.
A DO-178B Expands Turf
DO-178B, the dominant civil avionics software development spec, is not standing still. The almost 10-year-old guideline has made inroads in military aviation and ground-based aviation applications.
The C-130 Avionics Modernization Program (AMP) requires software to be developed "to DO-178B or the equivalent level of safety," explains Ed Kunay, director of engineering at the Mobility Systems Program Office, with the U.S. Air Force’s Aeronautical Systems Center.
Contract specs for the KC-135 Global Air Traffic Management (GATM) and C-130J aircraft don’t include DO-178B requirements, Kunay says. But "the Air Force applies a rigorous process to self-certify its aircraft for GATM compliance."
The process "uses DO-178B as a guide for software safety criteria." (For self-certification, Federal Aviation Administration approval is not required.) The baseline C-130J was FAA-certified, however, enabling sales of the aircraft outside the U.S., says an industry verification expert.
Ground-based aviation systems are being brought under the DO-178B umbrella. FAA is requiring that Controller Pilot Data Link Communications (CPDLC) ground systems be developed according to that guidance, to Level C (see table, opposite page).
Similarly, ground equipment for both the Wide Area and Local Area Augmentation Systems (WAAS and LAAS) is being developed to DO-178B, Level B. This policy reflects the increased interaction between the ground and airborne segments of such programs.
"DO-178B is treated like a standard although there are no ‘shalls’ in it," says George Romanski, president of Verocel Inc., Westford, Mass., which works with Wind River Systems Inc., the provider of a commercial off-the-shelf (COTS) operating system now breaking into the civil avionics market.
Nevertheless, "FAA has a regulation–if you want an airplane to fly, use DO-178B or satisfy the requirements of DO-178B," Romanski says.
COTS issues have driven further attention to the spec. In 2000, RTCA Special Committee 190 (SC-190) published DO-248A, a document that considered and clarified COTS software and other issues with DO-178B, says Jim Krodel, program element leader at United Technologies Research Center and SC-190 co-chairman.
"The COTS software issue was not addressed effectively in DO-178B because the technology at the time for avionics systems was somewhat immature," Krodel says. There were a few paragraphs in DO-178B about COTS, but "the guidance was not complete enough to provide the FAA an effective determination about its acceptance in an airborne system."
A further clarification, DO-248B, will provide more information on topics that cover the entire software development process–such as planning, design, code, verification, tools and COTS, Krodel says. RTCA approved this document in October 2001 and was expected to make it available for purchase soon afterward.
Companies
Accelerated Technology Inc. http://www.acceleratedtechnology.com
Aonix http://www.aonix.com
Ensco Inc. http://www.ensco.com
Green Hills Software Inc. http://www.ghs.com
LynuxWorks Inc. http://www.lynuxworks.com
OSE Systems Inc. http://www.ose.com
Wind River Systems Inc. http://www.wrs.com