Dec 03, 2019 Aerospace and Defense

First Ascent – Field Updates from Wind River and Collins Aerospace

By Andreea Volosincu

1953 was a good year. It was the first time when a British expedition conquered Mount Everest, during what most describe as a golden age of alpinism. Fast-forward to present-day, it’s fascinating to see how the same principles that guided the members of the expedition in their first ascent apply in a domain that could not be more different, software engineering for avionics platforms.

Wind River and Collins Aerospace are true partners, pursuing a goal that hasn’t been reached before, during what some may say it’s a technological golden age – the first DO-178C DAL A certification of a multi-core platform on an FAA program of record. These stories tie together creativity, exploration, and thought leadership. In our case, we are solving the multicore certification puzzle, starting from objectives to artifact submission.


Today, the avionics industry is going through a shift. From the very familiar and comfortable use of single core systems, to complex processing devices using multi-core platforms in safety critical applications.

George Mallory was quoted as having said he wanted to climb Everest "Because it's there," a phrase that has been called "the most famous three words in mountaineering." Simple enough. Our shift would have more to do with the future growth for programs, touching not just on the technical aspect (more capability, powerful hardware, SWaP), but also on a competitive and business levels (evolving program capability, leveraging corporate investment across programs).

20 years ago, Integrated Modular Avionics (IMA) and partitioned systems were very new and novel, albeit being used on single core processors. Nowadays, many variations of fully partitioned single core systems exist, are certified, and in operational service all over the world.

The first successful certifications on complex multi-core devices have also been documented. The risks of doing something new are always there though, so these first certifications were fielded using single core active implementations, mainly due to challenges around system complexity and lack of clear initial certification guidance from EASA and the FAA.

These are like the early attempts to conquer Everest. Before the 1953 British Mount Everest expedition there were nine other mountaineering expeditions that set new climbing altitude records. Edmund Hillary and Tenzing Norgay reached the summit in May 1953, but the same Norgay had previously ascended to a record high point on Everest as a member of the Swiss expedition of 1952. Certifying partitioned systems even on single core active implementations is definitely noteworthy.

Collins Aerospace and Wind River are now taking the next logical step. The certification being done now has all cores active in avionics where multiple software applications can run on the same device, supporting functions from DAL A through DAL E. The stakes are high – create a repeatable process and enable low risk follow-on certification, enable as much performance as possible with deterministic behavior, and do it in a way that supports a fully open systems architecture. Mount Everest suddenly seems more approachable now.


The ascent on Mount Everest was led by John Hunt, an experienced British Army Colonel with great credentials as a military leader and as a climber. An interesting set of skills, just appropriate for this particular situation. The multi-core certification process requires a unique combination as well, technical capabilities, methodology, and industry collaboration.

Collins Aerospace is a founding member of the Multicore for Avionics (MCFA) consortium, contributing and defining the processor assessment process together with the avionics community. This attempt requires the right expertize and industry alliances that have been nurtured over years in the right forums, just like the MCFA.

Onto the next component, the safety-critical operating system is provided by Wind River. The most important requirement was support for multiple guest operating systems. This was to enable Collins Aerospace to preserve investment in existing applications, and to enable its customers to reduce system integration costs.

Consolidation of multiple applications onto a single common platform, to enable a reduction of SWaP) played also an important role. The required virtualization capabilities were supported by utilizing an efficient hardware virtualization implementation which is available on some modern processors.

Support for open standards such as POSIX, ARINC 653 and FACE™ was also important, as this enables Collins Aerospace and its customers to develop portable applications, and to easily migrate existing standards-based applications to the platform.

Attack of the Summit

The Collins Aerospace multicore platform has been included in flight test on multiple different types of aircraft, both civil and military. Over this period of time we made great progress on critical components. Wind River has completed all their work through SOI4 for both the VxWorks 653 hypervisor and guest OS. Collins Aerospace submitted the remaining multicore and system level cert artifacts packages earlier this year. The teams are currently working with FAA representatives in the SOI4 feedback and comment review cycle.

You can catch the latest on Wind River’s collaboration with Collins Aerospace during our webinar on Wed., Dec. 11 when the joint team provides an update on the progress and lessons learned.

We’ll also do a deep dive into the processes and methodologies, such as the actual determinism analysis to addresses a number of the CAST-32A objectives. From configuration analysis, to interference channel analysis and partitions, we share our journey.

Previous Inspired by Machine Learning, ROS 2, Turtlebot3, and Rulex
Next Innovation Requires Flexibility – A look back at ELC-E 2019