Paul Parkinson

Last week Boeing issued a press release about the maiden flight of the C-130 Avionics Modernisation Programme (AMP) aircraft. The C-130 AMP (GlobalSecurity.org) will extend the aircraft's capability for many years to come by replacing federated systems with digital systems employing an Integrated Modular Avionics (IMA) architecture using ARINC 653.

This is also a proud moment for Wind River, because back in 2001 we started the developed of a new ARINC 653-compliant version of VxWorks for C-130 AMP to enable Smiths Aerospace to host multiple avionics applications onto a single computing platform, reducing system weight and volume, and reducing obsolescence issues.

At the time, there was already a safety-critical version of VxWorks to support federated applications up to the highest avionics safety integrity levels (RTCA DO-178B Level A), with VxWorks/Cert; but the advent of Integrated Modular Avionics (IMA) brought new requirements, such as the need to enforce temporal and spatial partitioning to prevent applications on the same platform from interfering with each other. (I'm not going to explain these concepts here, if you want to know the specifics, refer to the white paper Safety Critical Software Development for Integrated Modular Avionics).

This is particularly important when the applications are of differing level of safety criticality, such as a flight control application (DO-178B Level A), and perhaps a flight data recorder. Previously, when multiple applications had been hosted on the same computing platform, they would need to be certified to the level (possibly DO-178B Level C) of the most critical application. In the case of DO-178B, the cost of certification at higher Safety Integrity Levels (SIL) can become very expensive, especially at Level A where Modified Condition / Decision Condition (MCDC) testing is required. This increases the number of test permutations immensely, and also places additional burdens on the development tool and systems under test. Here's a simple code fragment to illustrate what I mean:

if A=0 and then B<2 and then C>5 then P; end if;

This contains three variables, three conditions and four MCDC cases (as shown in the table below). For DO-178B Level B certification, two test cases which result in both the execution and non-execution of statement P are required, whereas for Level A certification, all four possible test cases need to be generated.

Table: MCDC Test Cases

Another major aspect of the VxWorks 653 platform was the requirement to support ARINC 653, this included the ARINC 653 API, often referred to as the APplication EXecutive (APEX) API; and also the kernel infrastructure to implement and enforce the temporal and spatial partitioning that I mentioned earlier. This was very significant because it enabled the development of truly portable avionics software applications through a standards-based approach, which is one of the tenets of Device Software Optimization (DSO).

The C-130 AMP programme also saw the relationship between Wind River and AdaCore move to another level. I had been working with AdaCore on the integration between Tornado/VxWorks 5.x and GNAT Pro, which had been really well received by a number of customers in the UK and elsewhere in Europe, but things really flourished with the integration of GNAT Pro High-Integrity Edition and VxWorks 653.

Five years on, I find it fascinating that an RTOS that we originally developed to fulfill the specific requirements of the C-130 AMP programme has evolved to become an industry-leading ARINC 653 COTS RTOS product, which is being used in a diverse range of avionics applications.

So, with this momentum, will ARINC 653 become the de facto standard for Integrated Modular Avionics?