Standards, Choice and Flexibility for Aerospace and Defence Devices

Transcription

1 Standards, Choice and Flexibility for Aerospace and Defence Devices SESAM 31 st May 2006 Alex Wilson Senior Program Manager Aerospace and Defence

2 Who are Wind River? Agenda Trends and Standards lead to requirements How does a COTS OS meet these requirements? What is the impact of Safety Certification? What is the impact of Security Certification?

3 What Our A&D Customers Do Our customers make differentiated devices by focusing on intelligent, connected device software

4 What We Do: Device Software Optimization Wind River enables companies to develop and run device software faster, better, at lower cost, and more reliably.

5 Wind River Corporate Facts Wind River Overall Wind River Aerospace & Defence Wind River Engineering Established 1981, IPO in 1993 FY06 Revenue $266 Million (+13%) 28% of Revenue is A&D Largest A&D COTS Market Share 450 Engineers 170 Support Engineers 1200 Employees Worldwide

6 What types of systems give us information? Land Sea Air Space Commercial Aviation Abrams Tank Challenger Tank CHALS-X CIBADS II Fuchs Spürpanzer GIG-E Program JCAD JTRS MLRS Patriot Missile PDCUE TDOA System THAAD Missile TRC 4000 AEGIS AN/AQS20/X Sonar A/N SQQ-89 ASW Astute Class Sub. Harpoon Missile Mark 48 GMVLS MK41 5 inch gun NCSSS NAVMACS Phalanx CIWS SGS SSDS Trident Missile Type 45 Destroyer Apache Helicopter AWACS Airbus A400M B-1B B-2 B-52 C-130 AMP EC-725 Helicopter Eurofighter Typhoon F-15 F-16 F-18 F-22 F35 (JSF) Global Hawk UAV Tornado UCAS-N (X-47B) A2100 Satellite EGNOS HOPE-X Space Plane Mars Rovers Mars Odyssey Mars Recon Orbiter Mars Pathfinder Mars Recon Orbiter MTSAT-2 Satellite MUBLCOMM Satellite NASA Space Shuttle NPOESS ORBCOMM PROBA Satellite SBIRS SORCE Satellite X38 Space Lifeboat Airbus A318 Airbus A319 Airbus A320 Airbus A340 Airbus A380 ATIDS Boeing 777 Boeing 787 Dreamliner EC-225 Helicopter GlobalStar 2100 VICTORIA Program WAAS

7 A&D (Force) Transformations in DSO Old Way Foot Soldier Manned Aircraft Federated Systems Proprietary Systems Proprietary APIs Standalone / Isolated New Way Robotic Device Unmanned Aerial Devices Integrated Modular COTS Systems Standard APIs Networked / Connected

8 Aerospace & Defence Industry Characteristics Increasingly long lifecycles How to update existing capabilities? How to overcome obstacles due to obsolescence? Processor Architecture Migration Increased supply cost of near-obsolete components New technology introduction MultiCore, FPGA, SoC? Software obsolescence and reuse Emerging software standards IPV6, ANSI C++, ARINC653 Host support Windows 95, NT, 98, 2000, XP.. Safety and Security requirements Notional Projected Lifetime Extended Life B Years 0 Years

9 COTS and Open Standards

10 COTS Systems DO-178B Glossary Entry: Commercial off the shelf (COTS) software Commercially available applications sold by vendors through public catalog listings. COTS software is not intended to be customized or enhanced. Contract-negotiated software developed for a specific application is not COTS software. Interoperability, Compatibility and Obsolescence Concerns:- Is the Software API consistent across diverse Processor Architectures? Can the vendor readily support multiple COTS targets? Does the vendor provide consistency across Hosts and Targets? Who handles Middleware integration? Who handles Hardware/Software integration? Do Open Standards help? POSIX LINUX ARINC 653 ANSI Language standards

11 POSIX /pahz-icks/ An acronym for Portable Operating System Interface POSIX is a set of books specifying APIs It is neither a piece of code Nor an operating system It is a rich, proven API POSIX.1 is the full POSIX standard Defined by IEEE Std POSIX.1: 1123 routines (APIs) Profiles PSE51-PSE54 are subsets of POSIX.1 Defined by IEEE Std Rationale System Interfaces Commands Definitions Its about portability Both programmers and application source code Portability of the OS kernel itself and/or application binary code are not objectives

12 LINUX LINUX overview Full featured Unix mostly POSIX compliant * SMP capable Linux is NOT hard real-time (non-deterministic, kernel nonpreemptable) Generally requires more resources than COTS RTOS LSB Linux Standard Base Version 3.1 (Q2 2006) Application (I.e. Binary) And Kernel Draws on other standards such as POSIX * See The Open Group document: POSIX and Linux Application Compatibility Design Rules by C. Douglass Locke

13 What is ARINC 653? ARINC 653 is a application executive specification used for integrating avionics systems on modern aircraft Federated System Integrated Modular Avionics FCC IDS MCP EEC ADC FDR CDU Flight Management Computer FQIS GPS IRS ILS/MLS DME/ADF OMC VOR CLOCK

14 Example: Boeing 787 Common Core ~25 CCS Suppliers Auxiliary Power Unit Flight Data Recorder Common Core System Health Management Fuel Management Displays Flight Management Air Data Navigation Data Loading Crew Alerting Window Heat Ground Proximity Warning System Emergency lighting Cabin pressure Environmental Control Hydraulics Backup Electrical Crew/Pax O2 Fire Protection H2O/Lavs Thrust Reversers Landing Gear Brakes Steering

15 ANSI Language Standards C, C++ ANSI Standards fairly common for all compilers Exception with Visual C++ Some uptake of MISRA C subset Move towards MISRA-like subset for C++ Ada 2005 enhances standardisation of Ada Ada still used heavily in Europe for Safety Related tasks JAVA Usage Still increasing, some A&D Usage (Particularly RT JAVA)

16 Example of Standardisation Software Defined Radio

17 The Problem - Interoperability Northern Iraq: US Navy jets mistakenly attacked a Kurdish convoy led by US Special Operation Forces. Caused by a simple mix-up: the radios carried by the SOF were compatible only with USAF aircraft but not with US Navy jets which had attacked them! September 11: Hundreds of firefighters and police officers rushed into the World Trade Center. Helicopters circling overhead noticed the buildings starting to glow and relayed to incident commanders on the ground that the buildings may collapse. The police officers were given the order to evacuate --- all but 80 escaped. The firefighters never got the word of them, most within striking distance of safety, never got the word

18 The Solution: Software Defined Radio A software-defined radio (SDR) system is a radio communication system which uses software for the modulation and demodulation of radio signals or more simply put, plug-and-play waveforms! AN ENABLING TECHNOLOGY: Economies of Scale Interoperability Remote Management Standardisation

19 Software Communications Architecture Modeling tools and reference implementations Help developers build SCAcompliant waveforms SCA Definition Document SCA Development Tools Application Development Tools (IDE) IPv4/v6 Networking Definition document Standards-based framework Defines how elements of hardware and software are to operate in harmony within the JTRS (load waveforms, run applications, and be networked into an integrated system) SCA Core Framework CORBA API and services to provide abstraction of underlying h/w and s/w FPGA s re-progammable for various waveforms DSP s intensive computations Operating System Hardware (GPP, FPGA, DSP)

20 Example of Standardisation Network Enabled Capability

21 Network Enabled Capability Concept of a NEC A robust networked force improves information sharing Information sharing enhances the quality of information and shared situational awareness Shared situational awareness enables collaboration and self-synchronisation enhances sustainability Increases speed of command Goal Dramatic increase in mission effectiveness New and Emerging Philosophy of Warfare Sensors and Systems Cyber warfare

22 Technology requirements for NEC Interoperability to create a Network of Networks Land/Sea/Air Coalition forces Use of unmanned vehicles (Watchkeeper, Neuron..) Interoperability requirement leads to standards Requirement for vast numbers of interconnected devices IPv6 improvements Security implications System security (secure operating system) Data security (network security) Standardisation

23 Other Standards

24 IPv6 an enabler for NEC Internet Protocol version 6 (IPv6) is a new version of the Internet Protocol (IP) The successor to Internet Protocol version 4 (IPv4), the foundation of the TCP/IP protocol suite Supports the continued growth and advancement of the Internet Supports more directly-connected Internet nodes Allows the Internet to become a truly global network Enables ubiquitous connectivity -- Home, car and personal networks

25 Open Tools Environment - Eclipse "The FCS program sought a common software development environment that was an extensible, standardsbased platform, to address a broad range of needs for its software development projects," said Paul Schoen, Director of Software for SoSCOE, FCS. "Based on these and other defined criteria, the historical evidence of Wind River Workbench's Eclipse foundation promises a significant increase in productivity due to its flexibility, ease-of-use and scalability." One Common Cockpit for All Phases of Device Development, Debug and Test Eclipse 3.1 Open Tools Environment Customizable, task oriented perspectives Standards-based Open and extensible Project Compile Edit Project templates for commonly required configurations IDE managed or command-line defined builds Choice of compilers and editors Debugger Infrastructure Common debug interface regardless of target connection Built with differences between device HW and SW in mind Test Add on products to enable better device quality Unit Tester Unit and integration testing Diagnostics dynamic instrumentation on a running system

26 Software Safety Certification What impact does Safety have on systems?

27 What is Software Safety Certification? An approval by an individual or a company that a set of software meets the safety standards set by an agency responsible for guaranteeing safety in a particular industry. FAA Federal Aviation Administration RTCA DO-178B, RTCA DO-254, RTCA DO-278 EASA Joint Aviation Authorities EUROCAE ED-12B, EUROCAE ED-80 FDA Food and Drug Administration FDA 510(k) TÜV - Technischer Überwachungs-Verein IEC 61508, other IEC Standards MoD UK Ministry of Defense DEF STAN 00-56

28 What is a Safety Certification Process? 1. Write down requirements for human review 2. Implement those requirements 3. Test to insure that all requirements are met It is not creating perfect code

29 Required DO-178B Documentation Plan for Software Aspects of Certification (PSAC) Software Development Plan (SDP) Software Verification / Test Plan (SVP) Software Code Standards Software Requirements Standards Software Design Standards Software Change History Software Problem Report History Software Quality Assurance (SQA) Data Software Design Description Software Requirements Specification Software Verification Test Procedure Software Test Plan (STP) Software Unit Test Procedure Software Unit Test Plan Software Unit Test Report Software Integration Test Procedure Software Integration Test Plan Software Integration Test Report Source Code Test Coverage Report Test Results Report Software Correlation / Trace Matrix Version Description Document (VDD) Software Accomplishment Summary (SAS) Average Cost of DO-178B Level A ~ $100 per line of code

30 The ARINC 653 Challenge How can I change 1 independent application configure an application s resources (re) configure the health monitor without re-certifying the entire system?

31 Without Wind River Configuration Configuration Data Data C compiler compiler or or other other unqualified unqualified tool tool Replaceable Software Units Certify all together App 1 App 2 App 3 App 4 Configuration Data from unqualified tool Other ARINC 653 Operating System Configuration Data (partitions, ports, ) created by unqualified tool: must test and certify entire system as a whole, even for minor configuration change Higher initial development time, higher certification cost, higher cost of change and re-certification With Wind River XML XML Configuration Configuration Data Data DO-178B DO-178B Qualified Qualified XML XML Compiler Compiler App App 1 1 Certify separately App App 2 2 Binary Binary Configuration Configuration Data Data App App 3 3 App App 4 4 VxWorks VxWorks ARINC ARINC With PSC 2.1, XML-based configuration data, and qualified XML binary compiler: can test and, certify, and re-certify independent applications one by one Result: Lower development time, lower initial cert cost, and lower cost-of change and re-certification

32 So, what does this all mean? DO-178B Costs around $100 per SLOC VxWorks CERT is 16,000 SLOC VxWorks 653 CERT is 55,000 SLOC To reach Level A you need MCDC Code Coverage Deterministic Code Elimination of non-deterministic code conflicts with COTS goal POSIX (1700+ APIs in full POSIX) LINUX (Size and Determinism) IPv6 (Dynamic allocation of network buffers) SDR (Use of CORBA for plug-and-play waveforms)

33 Software Security Certification What impact does Security have on systems?

34 World s Fastest Security Overview Standard is the Common Criteria (CC), ISO 15408, accepted in North America, Europe, Israel, and Australia/NZ. The CC is mostly a repertoire of requirements at various levels of robustness. Requirements are divided into Functional (what a product does) and Assurance (how much trust we have in what it does) Evaluation is done at levels (EAL) 1 (low) - 7 (high). EAL1-4 are recognized internationally. EAL5+ are not. When you pass you get a Certificate and can use the CC Mutual Recognition Trademark. Similar to UL. Maintenance of Assurance is significant.

35 Evaluation Assurance Levels (EALs) Evaluation Assurance Levels & a (rough) Backward Compatibility Comparison to TCSEC* EAL EAL 1 EAL 2 EAL 3 EAL 4 EAL 5 EAL 6 EAL 7 Name Functionally Tested Structurally Tested Methodically Tested & Checked Methodically Designed, Tested & Reviewed Semiformally Designed & Tested Semiformally Verified Design & Tested Formally Verified Design & Tested TSEC C1 C2 B1 B2 B3 A1 *TCSEC - Trusted Computer Security Evaluation Criteria - the Orange Book

36 The MILS Architecture MILS - Multiple Independent Levels of Security MSL - Multi Single Level MLS - Multi Level Secure SL - Single Level CORBA - Client / Server DDS - Publish / Subscribe Application (User Mode) Partitions S TS (SL) (SL) S, TS (MLS) Trusted Path Display Manager (MSL) Token Service Driver (MSL) File Sys. Driver (MSL) Network Interface Unit (MSL) PCS (MLS) RT CORBA DDS Guest OS / Run-Time Libraries RT CORBA DDS Guest OS / Run-Time Libraries RT CORBA DDS Minimum Run-Time Library RTOS Micro Kernel (MILS Separation Kernel) Supervisor Mode MMU, Inter Partition Communications Interrupts Processor Source: Mark Vanfleet, NSA

37 NSA Estimated Life Cycle Costs for Security Formal Methods $$$ Individual Program Costs Proprietary Solution COTS Solution Est. $1000 per SLOC Development Costs (10 years) $9 Million $0 Reduced MILS Kernel <5000 SLOC Runtime licenses (3000 units) $0 $600,000 COTS Secure RTOS still $5M+ Annual Maintenance (10 year) $???? Program borne through life cycle $100,000 per year or $1 Million Not just a software problem Security Certification Costs Unknown, estimate $5 Million $5 Million Total 10 year Program Costs ~ $16+ Million $6.6 Million Cost for 5 DoD programs ~ $80 Million $13 Million

38 How does COTS Software follow these standards?

39 General Purpose Platforms Integrated Development Suite Integrated Partner Software Standards-based Middleware Linux Kernel 2.6 / VxWorks 6.2 Integrated Partner Hardware Plus Global Services and Support Wind River Workbench Eclipse-based development suite Complete lifecycle development Cross-build system Wind River Distribution Industrial-grade Tested, validated, supported, and maintained Carrier Grade Linux or VxWorks 6.2 Networking and security packages Integrated Partner Ecosystem Software Advanced networking Database Hardware COTS ATCA and CPCI boards Development and reference boards DO-178B Level A Certification for VxWorks 6.x in 2007

40 COTS Solution for SDR (Based on General Purpose Platform 3.2 for VxWorks and Linux) CRC SCARI++ Eclipse Boeing Standard for FCS Common Framework Workbench Eclipse Framework Communications Research Centre (CRC) Core Framework Scalable Certifiable (DO-178B) Power Management POSIX conformant Objective Interface Systems (OIS) ORBexpress (CORBA) VxWorks 6.2 IPv4/v6 Networking Hardware Partners Linux IPv6 Gold Logo Interpeak for MILS/DO-178B Pristine (kernel.org) Transparent build process Thorough testing & validation Global services and support Global Services and Support

41 Enabling Technologies: multi-core Application/real-time partitioning Upgrades IP protection and re-use Security partitioning Merging of legacy systems Algorithm offload

42 Workbench Development Suite Eclipse Framework Support for multiple OSes VxWorks 653, VxWorks 6 Linux, ThreadX Editor, complier, debugger C, C++, Ada* On-chip debug support Analysis tools System Viewer Scope tools Source code analyzer * Partner product DO-178B Certification Tool Suite Cuts Cert Time, Cost XML Configuration Suite DO-178B Level A qualified development tool Schema submitted to ARINC 653 committee DO-178B qualified verification tools Agent for Certification Environment Port monitor CPU monitor Memory monitor Host shell command Platform Safety Critical VxWorks ARINC 653 Wind River Workbench Integrated Partner Software VxWorks 653 Hardware Support (PowerPC) Support, Training, Professional Services > customers! Integrated Partner Support Certifiable ARINC 664 Stack CORBA OpenGL ARINC 615A Data Loader VxWorks 653 Time and space partitioning Plus slack=stealing feature Meets SC-200 IMA requirements ARINC 653 compliance, including Health Management Fast cold/warm restart (2 sec / 100 millisecond typical) Multiple partition OS with support for: ARINC 653 API VxWorks API subset POSIX subset Customer legacy OS possible Slack time scheduling DO-178B Level A cert evidence

43 VxWorks 653 Architecture User Mode ARINC Application POSIX Application VxWorks Application Ada Application ARINC API POSIX API VxWorks API Ada API Partition OS Partition OS Partition OS Partition OS VxWorks 653 Application Executive (with ARINC 653 ports and time/space scheduler) Board Support Package (BSP) Kernel Mode Hardware Board

44 DO-297 Supplier Separation / Security Platform Provider System Integrator Application Developers XML Table Editor XML Table Editor XML Config File XML Table Editor XML Config File XML Table Editor XML Config File XML Table Editor XML Config File XML Config File DO-178B Qualified XML Compiler Binary Configuration Data Hardware Platform

45 Wind River Certification Materials Certification Evidence for RTCA DO-178B Level A: Platform for Safety Critical DO-178B Platform for Safety Critical ARINC 653 These include: All required DO-178B Level A documents Documentation for requirements High and low-level design Source code Test code Reviews All test results Coverage Analysis at Level A (MCDC) For VxWorks/Cert: 260 MBytes, 14,000 files For VxWorks 653: 1.9 GBytes, 55,000 files

46 Wind River MILS Platform User Mode Secure App # 1 Level X Secure App #2 Level X Secure App #3 Level Y Secure App #4 Level Z Middleware Middleware VxWorks MILS Separation Kernel (SK) Board Support Package (BSP) Kernel Mode Hardware Board

47 Wind River in Aerospace and Defence The Wind River DSO Solution Industrial-strength platform World-class development suite Tightly integrated partner ecosystem Standards participation Global Services and support 23 years of experience in device software innovation

48 Question and Answer Session Thanks! Alex Wilson A&D Field Operations