™ AN INTEL COMPANY Safety-Critical Software Development for Integrated Modular Avionics Paul Parkinson, Principal Systems Architect, Aerospace & Defense, Wind River WHEN IT MATTERS, IT RUNS ON WIND RIVER WHEN IT MATTERS, IT RUNS ON WIND RIVER SAFETY-CRITICAL SOFTWARE DEVELOPMENT FOR INTEGRATED MODULAR AVIONICS EXECUTIVE SUMMARY This technical paper presents recent trends in the development of safety-critical avionics systems. It discusses the emergence of Integrated Modular Avionics (IMA) architectures and standards, the resulting impact on the development of an ARINC 653–compliant commercial off-the-shelf (COTS) real-time operating system (RTOS), and support for multi-core processor architectures. TABLE OF CONTENTS Executive Summary . 2 Introduction . 3 Application Development with VxWorks 653 Platform . 4 Spatial Partitioning . 4 Temporal Partitioning . 5 ARINC 653 Application Development . 5 Heterogeneous Application Support . 6 System Configuration . 7 Health Monitoring System and Restarts . 7 Tools for Safety-Critical Systems Development . 8 Security Considerations for Networked IMA Systems . 9 Safety Considerations for IMA Systems . 10 Summary . 10 References . 11 2 | White Paper ™ AN INTEL COMPANY SAFETY-CRITICAL SOFTWARE DEVELOPMENT FOR INTEGRATED MODULAR AVIONICS INTRODUCTION IMA also facilitates support for applications that have ever-increasing Many avionics systems have been successfully developed using levels of functionality, including the interactions between complex custom hardware and software . However, over the last decade, applications (such as head-up displays, map display systems, and the full lifecycle costs of customized systems have forced original weather radar displays) . IMA can also now exploit the technology equipment manufacturers (OEMs) to consider the use of COTS- of multi-core processors in order to facilitate such diverse based systems . At the same time, there has been a noticeable applications as I/O offload; executing multiple, disparate operating migration away from federated architectures, where each environments (such as Linux or other non-COTS operating systems) individual subsystem performs a dedicated function, toward through virtualization; and addressing the increasingly demanding generic computing platforms that can be used in multiple types needs of processing power and speed required by the previously of applications and, in some cases, can run multiple applications listed applications . concurrently . This approach, known as integrated modular avionics, Although a number of IMA architectures and standards have or IMA, results in fewer subsystems that take up less space and emerged, the ACR Specification1 and ARINC Specification 6532 have reduced weight and power consumption (often referred to appear to have the widest adoption in the avionics community . The as SWaP) . A number of civil and military research programs have ACR Specification addresses architectural considerations, whereas sought to define IMA architectures, and while they differ in their ARINC Specification 653 defines at a high level an instance of a approaches, they share the same high-level objectives: software implementation for an IMA architecture . The widespread • Common processing subsystems: An IMA architecture should adoption and support of ARINC 653 is also evident in the Future allow multiple applications to share and reuse the same comput- Airborne Capability Environment (FACE™) for U .S . military avionics ing resources so that fewer subsystems need to be deployed, programs . These and other IMA standards place new demands resulting in more efficient use of system resources and leaving on the software architecture, especially the RTOS implementation space for future expansion . provided by the COTS supplier . Wind River® has specifically • Software abstraction: An IMA architecture should isolate the addressed these needs by developing Wind River VxWorks® 653 application not only from the underlying bus architecture but Platform to support ARINC 653 and POSIX® . This support for also from the underlying hardware architecture . This practice open architectures has contributed to VxWorks 653 Platform being enhances portability of applications between different platforms selected for and deployed in many avionics systems and safety- and also enables the introduction of new hardware to replace critical applications, including the C-130 Avionics Modernization obsolete architectures . Program, 767 Tanker, the Boeing 787 Dreamliner Common Core • Maximize reuse: An IMA architecture should allow for reuse System (CCS), and the Airbus A330 MRTT . VxWorks 653 Platform of legacy code . This practice reduces development time while has also subsequently undergone independent conformance affording the developer a method of redeploying existing appli- verification, testing against the FACE Safety Base Profile, and is the cations without extensive modifications . first COTS RTOS to achieve conformance certification 3. • Reduced cost of change: An IMA architecture should reduce the The following sections consider the technical requirements for an cost of change, both because IMA facilitates reuse and because, integrated device software platform to support IMA applications by decoupling the constituent pieces of the platform that exe- and show how VxWorks 653 Platform (see Figure 1) fulfills these cute on the same processor, it simplifies the impact analysis, low- requirements—in particular within the context of ARINC 653 ering retest costs . application development . 3 | White Paper SAFETY-CRITICAL SOFTWARE DEVELOPMENT FOR INTEGRATED MODULAR AVIONICS Workbench Development Suite These requirements affect the design and implementation of the Eclipse Framework RTOS kernel and language runtime system . For example, VxWorks Editor Compiler System Viewer 5 .5 uses a shared virtual address space for applications and Port Monitor CPU Monitor Host Shell provides basic support through the MMU to prevent accidental or Project Debugger malicious access to program code by errant applications, without incurring the performance overhead of a full process model . Software Partners VxWorks 6, VxWorks 7, and VxWorks 653 provide environments AdaCore GNAT that use the MMU to enforce separate contexts . Certification Partners Pro Ada Compiler However, in an IMA environment, memory protection alone would Runtime Components not prevent an errant application running in a partition from DO-178C Level A Certification Material consuming system resources, which might have a detrimental ARINC 653 API VxWorks API POSIX API effect on an application running in another partition . This issue VxWorks 653 DO-178 Network Stack can have serious consequences where multiple applications of differing levels of criticality are running on the same processor . Hardware Partners This problem cannot be resolved through the use of a full process Wind River Simics Simulation Environment model alone; instead it requires the development of an RTOS COTS Boards, Semiconductor Architectures that specifically addresses the needs of IMA . The VxWorks 653 operating system was designed specifically for this purpose and Training and Professional Services supports the ARINC 653 model in the implementation of the Training and Mentoring Platform Customization kernel architecture (see Figure 2) . Hardware/Software System Design Design Services Integration • The module OS interacts directly with the computing platform (core module), providing global resource management, sched- Figure 1. Wind River VxWorks 653 Platform uling, and health monitoring for each of the partitions . It also uses a board support package (BSP), the hardware-specific con- APPLICATION DEVELOPMENT WITH VXWORKS 653 PLATFORM figuration required to run on different processors and hardware The ACR Specification defines two important concepts widely configurations . Multi-core processors are also supported by the used in IMA: spatial partitioning and temporal partitioning . module OS and its BSP . Executing on a multi-core processor Spatial Partitioning allows some additional capabilities to be exploited, such as run- Spatial partitioning defines the isolation requirements for multiple ning in an asymmetric multiprocessing (AMP) configuration and applications running concurrently on the same computing being able to assign multiple cores to application partitions for platform, also known as a module . In this model, applications use by the application, accomplished through the use of APIs running in an IMA partition must not be able to deprive each provided in ARINC 653 Part 1, Supplement 4 . This ability can other of shared application resources or those provided by the also allow individual partitions to be executed on their own core RTOS kernel . This state is most often achieved through the use for additional spatial separation . of different virtual memory contexts enforced by the processor’s • The partition OS is implemented using the VxWorks microker- memory management unit (MMU) . nel and provides scheduling and resource management within a partition . Communication with the module OS occurs through These contexts are referred to as partitions in ARINC 653 . Each a private message-passing interface to ensure robustness . The partition contains an application with its own heap for dynamic partition OS also provides the ARINC 653 application/executive memory allocation and a stack for the application’s processes (the (APEX) interfaces for use by applications . ARINC 653 term for a context of execution)