Setting the Standard for Multicore Certification and Other Areas of Conformance

Navigating the challenges and complexities around certification and wider conformance is a complicated process, in terms of standards compliance / conformance, mandates, and processes. In this blog, we’ll look at some areas where Wind River has achieved a leadership or ‘first mover’ position, based on our deep experience and expertise. Let’s investigate further with the aid of some quick facts.

Multicore Certification in Aerospace and Defense

We were instrumental in assisting Airbus with development on the A330 Multi-Role Tanker Transport (MRTT) aircraft – the world’s first tanker to be certified for automatic air-to-air refuelling (A3R) boom operations in daylight. Using VxWorks 653 Multi-core Edition, the system comprises multiple ARINC 653-compliant applications, running at the highest safety-criticality levels, on multiple processor cores in parallel, i.e., with no cores deactivated. This is extremely challenging because significant analysis and testing needs to be undertaken to prove that the multiple DAL-A applications cannot cause multicore interference with each other and cause failure of one of DAL-A applications which could result in loss-of-life.

Navigating this multicore journey with our guidance earned Airbus the distinction of being certified by the Spanish National Institute for Aerospace Technology (INTA) – Spain’s Military Certification Authority, to ED-12C / DO-178C DAL A, covering CAST-32A requirements for multicore processing certification.

Quick fact: We announced this very significant step forward in January 2023, as an  industry leader in  multi-core certification.

Proven in the most challenging safety-critical applications, VxWorks 653 makes it easier and more cost-effective for technology suppliers to meet the stringent safety certification requirements of EN 50128, IEC 61508, ISO 26262, and ED-12C / DO-178C.

Future Airborne Capability Environment (FACE) 3.1 Conformance

FACE (Future Airborne Capability Environment) conformance refers to a set of standards and guidelines designed to ensure interoperability and compatibility of software components in airborne systems. FACE is an initiative primarily aimed at military and aerospace applications, but its principles can be applicable more broadly. It pulls together established standards for safety, security and interoperability, including POSIX, ARINC 653 and others. The goal is to enable easier integration, reduce lifecycle costs, and enhance the flexibility and upgradability of systems. FACE is a demonstrable standard that supports a Modular Open Systems Approach or MOSA, a US Federal requirement for major defense acquisition programs.

Each version of FACE builds on the previous ones, incorporating lessons learned, addressing industry needs, and evolving to support new technologies and practices.

Quick fact: VxWorks 653 Multi-core Edition is conformant to FACE 3.1, versus other solutions that remain on FACE 3.0

Mitigating Interference in Multicore Processors

Multicore processors are table stakes in today’s computer world, and none more so than in modern mission-critical embedded systems.

Safety certification of multi-core systems however is still a huge challenge, with the many ways in which deterministic timing is affected when applications run in parallel on the same chip. These so-called interference channels always involve some kind of shared resource. This can be as obscure as an interconnect policy buried deep inside the processor that slows down one core’s access to the Peripheral Component Interconnect Express (PCIe) connection, when the neighboring core is bulk writing to RAM.

Only with deep analysis and verification to understand all the interference channels on a particular processor model and software setup, can the system integrator demonstrate the necessary compliance to the A(M)C 20-193 objectives for multi-core safety certification in aviation. Good RTOS designs provide a versatile toolbox with many different approaches that help to mitigate interferences, so the system designer can choose the most appropriate strategies for their design and with minimal impact.

Quick fact: Mitigation of all multi-core interferences in a generic way in the RTOS is not possible for modern multi-core processor architectures, unless the application use cases or the mitigations themselves are very limited or restrictive. VxWorks and HVP with off-the-shelf Certification Evidence provide all the design and integration documentation so that system integrators can open the black box and analyze how applications utilize the shared resources and exercise interference channels in their design.

Together with our partner Rapita Systems, our Functional Safety Specialist Olivier Charrier gives an insight into different strategies to mitigate interference with the help of the RTOS, and how evidence of mitigation can be produced using examples of multi-core platforms popular in the aerospace industry, in this available on-demand webinar.

Implementing Secure Software Supply Chains

The  U.S. Presidential Executive Order 14028 outlining  the implementation of secure software supply chains has set a new standard for ensuring the integrity and safety of digital products. At the heart of this initiative is the Secure Software Development Framework (SSDF), provided by the National Institute of Standards and Technology (NIST) in Special Publication (SP) 800-218, whose principles cover the following key areas: Prepare the organization; Protect the software; Produce well-secured software; Respond to vulnerabilities.

With the Wind River Secure Development Lifecycle (SDL), which is aligned with NIST 800-218 principles, we conform to this presidential mandate. The deadline to upload attestation forms for “critical software” was June 11, 2024 – a deadline we achieved. And to this end, on August 6, we proudly announced that we achieved Attestation to U.S. Government Secure Software Development practices.

Quick fact: An earlier program, “Raise the Bar” was launched by the National Security Agency (NSA) in 2020. Both initiatives are complementary, though Executive Order 14028 addresses higher-level policy and structural changes, while "Raise the Bar" focuses more on specific improvements in software development security practices. Together, they contribute to a robust and resilient cybersecurity landscape. Our Wind River SDL however, with defined process aligned with NIST 800-218, and applied within all our products, is gaining increasing credibility within the aerospace and defense industry as well as other sectors.

Register here for our forthcoming webinar – ‘The Confluence of Safety and Security’ which will outline this and much more.

About the author

Alan Stranaghan is a Senior Product Marketing Manager at Wind River