Airbus A3R completes certification with support from Wind River safety-critical multi-core platform

Congratulations to Airbus on the A330 Multi-Role Tanker Transport (MRTT) aircraft becoming the world’s first tanker to be certified for automatic air-to-air refueling (A3R) in daylight! This is a major achievement and thank you for allowing Wind River to be part of your multi-core certification journey (read the news here).

A3R is a very significant milestone in the evolution of airborne refueling systems, as the automated system enables more efficient operation, reduces air refueling operator (ARO) workload, reduces inherent risk of this operation and optimizes the rate of air-to-air refueling transfer, as shown in this informative Airbus video.

The A3R enhanced capabilities are achieved by using state-of-the-art technologies to identify the receiving aircraft’s shape and its refueling receptacle, then perform automated contact and fuel transfer while flying at high altitude.

With this development, Airbus has successfully implemented and certified a complex use case through Spanish National Institute for Aerospace Technology (INTA), involving multiple ED-12C / DO-178C DAL A applications running simultaneously on multiple cores on a multicore processor. Airbus has also met the objectives of CAST-32A (now AM(C) 20-193) published jointly by EASA and FAA. This is a very significant step forward compared to other safety-critical avionics systems which only run on a single core on a multi-core processor with the other processor cores deactivated.

The Advent of Multi-core Safety-critical Avionics

This automation involves sophisticated applications which require a step change in computing performance, necessitating the transition from a single-core processor safety-critical avionics platform to a multi-core processor safety-critical avionics platform. This enables more ARINC 653-compliant safety-critical avionics applications with compute intensive requirements to be hosted. However, this also dramatically increases system complexity and can result in challenges related to determinism, multi-core interference channels, worst-case execution timing (WCET) analysis and increased safety certification costs (as discussed in the Wind River blog series on Assured Multicore Partitioning for FACE systems).

Wind River had previously supplied the VxWorks 653 safety-critical real-time operating system (RTOS) platform which Airbus used on a single-core processor platform for the original air-to-air refueling boom system (ARBS) used on the A330 MRTT. This system comprised multiple ARINC 653-compliant applications running at a multiple levels of safety-criticality and achieved DO-178B DAL A certification.

A Trusted Partner for Multicore Certification

When Airbus decided to transition to a multicore platform to support A3R capabilities, Wind River was able so support Airbus on its multi-core journey, working as a trusted advisor to identify milestones, potential obstacles, and develop metrics to prove that the system architecture was on the right track.

Airbus was also able to achieve software reuse by porting its existing ARINC 653-compliant applications from VxWorks 653 running on a single-core platform to VxWorks 653 Multi-Core Cert Edition integrated with ecosystem partners’ graphics and multi-core processor platform .

For more information about Wind River safety-critical runtime platforms for safety-critical intelligent edge devices in Aerospace, Automotive, and Industrial sectors, please visit the following resources:

Wind River and functional safety: https://www.windriver.com/solutions/learning/functional-safety

To speak with Wind River experts to address certification challenges, contact us here.