Safety-Critical Software Military-COTS DO-178B application feature from CompactPCI Systems
"Safety-Critical Software" originally appeared in the April 2003 issue of CompactPCI® Systems. "Safety-Critical Software" has been reproduced here with the kind permission of CompactPCI Systems magazine. Download the original PDF version of "Safety-Critical Software" here.
 Due to the Global Aviation Traffic Management (GATM) agreement which has international validity and applicability, airborne military and space systems must also comply with DO-178B guidelines and certification. |
Software plays a critical role in almost every facet of our daily life—from cooking in our kitchens, to driving our cars, to working in our offices. Some of these systems are safety-critical. Failure of software could cause catastrophic consequences for human life. Imagine the antilock brake system (ABS) in your car. A software failure here could render the ABS inoperable at a time when you need it most. For these types of safety-critical systems, having guidelines that define processes and objectives for the creation of software that focus on software quality, or the ability to use software that has been developed under this scrutiny, has tremendous value for developers of safety-critical systems.
In 1992, the Radio Technical Commission for Aeronautics (RTCA) approved the specification DO-178B for the aviation industry. This specification, the Software Considerations in Airborne Systems and Equipment Certification, was created to provide the aviation community guidance for determining, in a consistent manner, and with an acceptable level of confidence, that software aspects of airborne systems and equipment comply with airworthiness requirements. There are multiple levels of rigor that are applied to this software—from level E to level A—with level A being the most stringent. This guidance ties together system requirements, system life cycle processes, safety assessment processes and software life cycle processes, and documented traceability to show that the processes have been met. Historically, DO-178B was mandated for Air Transport class of aircraft and commercial avionics to comply with Federal Aviation Administration (FAA) regulations in safety critical systems. However in recent years, due to the Global Aviation Traffic Management (GATM) agreement which has international validity and applicability, airborne military (as shown in Figure 1) and space systems must also comply with DO-178B guidelines and certification for the safety of all aircraft.
The DO-178B specification does not contain anything magical; it enforces good software development practices and system design processes. It describes traceable processes for objectives such as:
- High-level requirements are developed
- Low-level requirements comply with high-level requirements
- Source code complies with low-level requirements
- Source code is traceable to low-level requirements
- Test coverage of high-level and low-level requirements is achieved
At higher levels, such as level A, these objectives must be verified by independent parties. No dead code is allowed in the system and all the requirements, code, and test information can be audited and traced. These documents are commonly called "artifacts." For a piece of software to pass the rigor of DO-178B, satisfying the objectives of the specific level is required and there must be traceability through the artifacts to verify that the objectives have been met.
 Commercial-off-the-shelf (COTS) operating systems are now available in the market, such as LynuxWorks' LynxOS-178. |
In contrast, typical commercial software is created and modified, and then due to time-to-market pressures or cost considerations, the developer may not choose to conduct independent reviews or testing of 100 percent of the code. Most commercial code is only reviewed or tested to an acceptable level of confidence to meet the business objectives of the manufacturer and for the criticality of the software. In many cases, this "typical" commercial software is not acceptable for use in systems where a malfunction of the software could lead to catastrophic consequences. This is where purchase and use of DO-178B verifiable software can give manufacturers confidence that they have used the highest quality software in their safety-critical application.
Commercial-off-the-shelf (COTS) operating systems are now available in the market, such as LynuxWorks LynxOS-178 (see Figure 2), that have been verified to DO-178B Level A. LynxOS-178 has been used in avionics subsystems by manufacturers such as Rockwell Collins, and is intended to be a common reusable element for safety-critical systems. In this case, all of the processes and objectives of DO-178B have been met for both the OS and the independent TCP/IP stack. The commercial availability of an operating system and TCP/IP stack enables manufacturers of DO-178B systems to get to market faster and lowers the overall business risks associated with the time and cost of certifying a system. And just as importantly, it reduces the cost and time of certifying foundational elements, so manufacturers can concentrate on their value add, which is the application.
In addition to being a tremendous value to avionics manufacturers that must conform to DO-178B, availability of certifiable software is a tremendous value for all creators of all safety-critical systems. They can leverage these reliability benefits into their applications at a fraction of the historical cost. Commercial availability of certifiable software should spur development in markets for safety-critical applications and reduce time-to-market of important applications that can enhance the quality of our lives and protect us in critical situations.
About the author:
Greg Rose is the director of product management for LynuxWorks, Inc. Greg is a graduate of Iowa State University with a Bachelor of Science in Electrical Engineering. Prior to joining LynuxWorks in 1993, Greg had 11 years experience in embedded and real-time software design, and systems engineering. He has presented papers at Embedded Systems Conferences and published multiple articles in EE Times and other engineering trade publications.
©Copyright 2003, CompactPCI Systems.
- DO-178B Provides Certification Safety net
- Developers of commercial avionics software must demonstrate compliance with DO-178 guidelines. The FAA has issued additional guidance for so-called DO-178B Reusable Software Components (RSCs as defined in AC20-148), which allow for reuse of certifications. (COTS Journal, November 2009)
- Designing Safety-critical Avionics Software Using open Standards
- Safety-critical avionics systems have continually grown more complex and software-intensive. Regulatory authorities and avionics manufacturers have responded with guidance such as DO-178B and RSC to ensure that software performs safely, with controlled development cost. (Boards and Solutions, September 2009)
- Two Different Realms: RTOS Support for Safety-critical vs. Security-critical Systems
- Safety- and security-critical system functions are evolving simultaneously, with different yet similar requirements. Modern RTOSes are stepping up to meet these needs. (VME and Critical Systems, June 2009)
- Virtualization Makes Better use of Open-source OSes and apps
- With the introduction of the embedded hypervisor, embedded systems can avoid certain performance or licensing issues inherent to open-source OSes and applications. (EE Times, March 23, 2009)
- Secure Virtualization Technology can Extend the life of Legacy Systems
- By combining the concept of virtualization and security, one can consolidate multiple legacy systems running on heterogeneous operating systems onto a single host system with high-assurance security. (Military Embedded Systems, January/February 2009)
- Separation Kernel for a Secure Real-time Operating System
- The technical foundation adopted for the so-called MILS architecture is a separation kernel like LynxSecure, which permits multiple functions to be realised on a common set of physical resources without unwanted mutual interference. (Boards and Solutions Magazine, February 2008)
- Advances in Virtualization aid Information Assurance
- Advances in the newest Intel® processors are making virtualization much easier to implement in security applications than ever before. (Embedded Computing Design, January 2008)
- Protecting our most Vital Systems
- Some significant defence programmes are already committed to a new approach to high-threat, high-asset-value systems. Rance DeLong explains MILS. (Components in Electronics, April 2007)
- Perspectives: Security and the Separation Kernel
- Today's avionics systems are designed to support more than one application, using a partitioned operating system and memory management units to ensure applications have adequate separation. (Avionics Magazine, April 2007)
- MILS: An Architecture for Security, Safety, and Real Time
- The unrelenting growth and integration of embedded controls, information processing, and communications has created a need for systems that provide robust protection for resources and services in the face of serious threats. (Air Force Research Laboratory Technology Horizons, November 2006)
- Partitioning Operating Systems Versus Process-based Operating Systems
- Partitioning operating systems are the latest buzz, while processes, by contrast, have been around for over 30 years. Both provide memory protection, however, the intent behind them is very different.
- DO-178B and the Common Criteria: Future Security Levels
- Although there are similarities between the airborne safety-critical requirements in RTCA/DO-178B and the Common Criteria, ISO 14508, compliance with the higher levels of security in the Common Criteria demands meeting additional security requirements. (COTS Journal, April 2006)
- Reusing Safety-Critical Software Components
- Safety-critical systems often operate together as a single "system-of-systems," making it important that they meet the most stringent and rigorous requirements for safety-criticality. The failure of one module in a system could create other failures or vulnerabilities, or worse yet, failure of the system as a whole. (COTS Journal, August 2005)
- Using the Microprocessor MMU for Software Protection in Real-Time Systems
- With minimal impact to overall system performance, user tasks and the kernel can be protected from accidental corruption by using multiple protected address spaces.
- Improving code Migration and Reuse
- The unrelenting growth and integration of embedded controls, information processing, and communications has created a need for systems that provide robust protection for resources and services in the face of serious threats. (Embedded Computing Design, August 2006)
- LynuxWorks: A case Study in Combat-ready Linux
- As open source, especially Linux, makes its way into nearly every sector of the economy, one of the final frontiers is the military and aerospace market, where new applications must clear hurdles such as the FAA's rigorous DO-178B certification for aviation software. (Newsforge, December 2005)
- FCS Program Rolls Forward in Formation
- A wireless data network, with advanced communications and technologies, links soldiers with 18 new, lightweight manned and unmanned ground vehicles, unmanned aircraft, sensors and weapons—and it's all in one program. (COTS Journal, June 2005)
- Embedded Tools Train an eye on Security
- As embedded designers incorporate more security and safety needs into devices, embedded tools will have to evolve to provide capabilities needed both for product development and process management. (EE Times, September 2004)
- Secure Operating Systems for Deeply Embedded Devices
- As we add more intelligence to our embedded devices, we find that they are becoming increasingly integrated into our information technology infrastructure. Though system security is not a new concept, security-in-depth is a new paradigm developers are now starting to address. (RTC Magazine, September 2004)
- Webinar: Latest Release of LynuxWorks' Safety-critical DO-178B-certified RTOS, Mar 24
- Avionics Europe 2010, Amsterdam, Netherlands, Mar 24-25
- LynxSecure Real-time Applications and Device Driver Programming Workshop, San José, CA, USA, Mar 30-Apr 2
