Military Embedded Systems March 2019 by OpenSystems Media

@military_cots

John McHale

Cybersecurity Update

AI: Decisions on the battlefield?

MilTech Trends

Optimizing multicore for safety

Standards Update

Part 1: Next-gen OpenVPX standard MIL-EMBEDDED.COM

Avionics and standards

10 32 36

March 2019 | Volume 15 | Number 2

Military aircraft avionics face new data-processing and security demands P 18

AVIONICS ISSUE

P 14

Protecting top-secret data with NSA-approved COTS encryption By Paul Davis, Curtiss-Wright Defense Solutions

Avionics safety certification for UASs must juggle security, multicore, mission challenges P 26

Volume 15 Number 2

www.mil-embedded.com

March 2019

COLUMNS

SPECIAL REPORT

Editor’s Perspective 8 Avionics and standards

Military Avionics Upgrades 18 Military aircraft avionics face new dataprocessing and security demands

By John McHale

Cybersecurity Update 10 Is the military ready for AI to help make decisions on the battlefield?

By Sally Cole, Senior Editor and John McHale, Editorial Director

22 18

Common Weakness Enumeration (CWE) defines cybersecurity vulnerability landscape for mission-critical applications By S. Tucker Taft, AdaCore

By Sally Cole

Technology Update 12 T-X trainer aircraft en route to replace the 57-year-old T-38C Talon for USAF By Mariana Iriarte

MIL TECH TRENDS

Mil Tech Insider 14 Protecting top-secret data with NSA-approved COTS encryption By Paul Davis

Avionics Safety Certification 26 Avionics safety certification for UASs must juggle security, multicore, mission challenges 26

By Mariana Iriarte, Technology Editor

Blog 44

Optimizing multicore architectures for safety-critical applications

By Richard Jaenicke, Green Hills Software and Rick Hearn, Curtiss-Wright Defense Solutions

By Nicholas Butler, National Instruments

DEPARTMENTS 16

Defense Tech Wire

Editor’s Choice Products

Connecting with Mil Embedded

STANDARDS UPDATE 36

Keep pace with a standardized development process

Development of the next-generation OpenVPX-based embedded system standard – A tri-service convergence of approaches: Part 1 of 3

By Mariana Iriarte

By Mil-Embedded.com Editorial Staff

By Mike Hackert (NAVAIR), Ben Peddicord (CERDEC), and Dr. Ilya Lipkin (AFLCMC)

WEB RESOURCES Subscribe to the magazine or E-letter Live industry news | Submit new products http://submit.opensystemsmedia.com White papers: Read: http://whitepapers.opensystemsmedia.com Submit: http://submit.opensystemsmedia.com

36 https://www.linkedin.com/ groups/1864255/

Published by:

@military_cots

All registered brands and trademarks within Military Embedded Systems magazine are the property of their respective owners. © 2019 OpenSystems Media © 2019 Military Embedded Systems ISSN: Print 1557-3222

4 March 2019

MILITARY EMBEDDED SYSTEMS

ON THE COVER: Top image: The F-35A Conventional Takeoff and Landing variant is an agile, versatile, high-performance 9-g multirole fighter. The platform’s avionics system will be upgraded with a new Integrated Core Processor as part of an open architecture design. Lockheed Martin photo by Liz Lutz. Bottom image: Pictured are UASs/aerial demonstrators (front to back, left to right): RQ-11A Raven, Evolution, Dragon Eye, NASA FLIC, Arcturus T-15, Skylark, Tern, RQ-2B Pioneer, and Neptune. U.S. Navy photo by Photographer’s Mate 2nd Class Daniel J. McLain.

www.mil-embedded.com

The AN/VLQ-12 CREW Duke, manufactured by SRCTec, is a U.S. Army Program of Record

Trusted manufacturing partner of innovative defense & aerospace products

Leverage our nationally recognized manufacturing & assembly expertise to build your complex RF-based products. Manufacturing your smart solutions to protect America & its allies.

Learn more about how SRCTec is redefining possibleÂŽ. WWW.SRCTECEMS.COM

Defense & Aerospace Manufacturing

ADVERTISER INFORMATION

Page Advertiser/Ad Title 15 Abaco Systems – We never forget those who serve 35 ACCES I/O Products, Inc. – PCI Express mini card, mPCIe embedded I/O solutions 25 Acromag – AcroPacks = SWaP-C 2 Annapolis Micro Systems, Inc. – Designed and optimized for high-performance beamforming 40 AUVSI XPONENTIAL – The power of unmanned 7 Behlman Electronics – When failure is not an option, the military counts on rugged COTS from Belhman 21 Data Device Corporation – Your solution provider for connectivity/ power/control. 29 Elma Electronic – Proven COTS building blocks 3 Extreme Engineering Solutions (X-ES) – Uncompromising trusted performance for extreme environments 11 General Micro Systems, Inc. – The world’s most advanced rugged server 31 Mercury Systems – Innovation that’s safe 41 Mercury Systems – The military digital convergence mega-trend 9 MilesTek – Military and aerospace interconnect at the ready 13 Pasternack – You engineer the future. We’ll supply the components … Today! 48 Pentek, Inc. – We didn’t break the mold, we shattered it. 28 Phoenix International – Phalanx II: The ultimate NAS 37 Pixus Technologies – Stronger, faster, cooler OpenVPX 47 Sea Air Space – The Navy League’s Global Maritime Exposition 5 SRC Tec – Trusted manufacturing partner of innovative defense & aerospace products 39 Vector Electronics & Technology, Inc. – VME, VXS, cCPI chassis, backplanes, and accessories

GROUP EDITORIAL DIRECTOR John McHale john.mchale@opensysmedia.com

ASSISTANT MANAGING EDITOR Lisa Daigle lisa.daigle@opensysmedia.com SENIOR EDITOR Sally Cole sally.cole@opensysmedia.com

TECHNOLOGY EDITOR Mariana Iriarte mariana.iriarte@opensysmedia.com

DIRECTOR OF E-CAST LEAD GENERATION AND AUDIENCE ENGAGEMENT Joy Gilmore joy.gilmore@opensysmedia.com ONLINE EVENTS SPECIALIST Sam Vukobratovich sam.vukobratovich@opensysmedia.com

CREATIVE DIRECTOR Stephanie Sweet stephanie.sweet@opensysmedia.com

SENIOR WEB DEVELOPER Aaron Ganschow aaron.ganschow@opensysmedia.com WEB DEVELOPER Paul Nelson paul.nelson@opensysmedia.com

CONTRIBUTING DESIGNER Joann Toth joann.toth@opensysmedia.com

EMAIL MARKETING SPECIALIST Drew Kaufman drew.kaufman@opensysmedia.com

VITA EDITORIAL DIRECTOR Jerry Gipper jerry.gipper@opensysmedia.com

SALES/MARKETING SALES MANAGER Tom Varcie tom.varcie@opensysmedia.com (586) 415-6500

MARKETING MANAGER Eric Henry eric.henry@opensysmedia.com (541) 760-5361 STRATEGIC ACCOUNT MANAGER Rebecca Barker rebecca.barker@opensysmedia.com (281) 724-8021 STRATEGIC ACCOUNT MANAGER Bill Barron bill.barron@opensysmedia.com (516) 376-9838 STRATEGIC ACCOUNT MANAGER Kathleen Wackowski kathleen.wackowski@opensysmedia.com (978) 888-7367 SOUTHERN CAL REGIONAL SALES MANAGER Len Pettek len.pettek@opensysmedia.com (805) 231-9582 SOUTHWEST REGIONAL SALES MANAGER Barbara Quinlan barbara.quinlan@opensysmedia.com (480) 236-8818 INSIDE SALES Amy Russell amy.russell@opensysmedia.com

ASIA-PACIFIC SALES ACCOUNT MANAGER Patty Wu patty.wu@opensysmedia.com

BUSINESS DEVELOPMENT EUROPE Rory Dear rory.dear@opensysmedia.com +44 (0)7921337498

EVENTS

WWW.OPENSYSMEDIA.COM

AUVSI XPONENTIAL 2019 April 29-May 2, 2019 Chicago, IL www.xponential.org

Sea Air Space May 6-8 National Harbor, MD www.seaairspace.org

PRESIDENT Patrick Hopper patrick.hopper@opensysmedia.com

EXECUTIVE VICE PRESIDENT John McHale john.mchale@opensysmedia.com

EXECUTIVE VICE PRESIDENT Rich Nass rich.nass@opensysmedia.com CHIEF FINANCIAL OFFICER Rosemary Kristoff rosemary.kristoff@opensysmedia.com

EMBEDDED COMPUTING BRAND DIRECTOR Rich Nass rich.nass@opensysmedia.com

ASSOCIATE TECHNOLOGY EDITOR Laura Dolan laura.dolan@opensysmedia.com

SENIOR TECHNOLOGY EDITOR Alix Paultre alix.paultre@opensysmedia.com

WEBCAST

Meeting Military Data Signal Analysis Imperatives

Sponsored by ADLINK and LCR Embedded Systems ecast.opensystemsmedia.com/832

6 March 2019

ECD EDITOR-IN-CHIEF Brandon Lewis brandon.lewis@opensysmedia.com

TECHNOLOGY EDITOR Curt Schwaderer curt.schwaderer@opensysmedia.com CREATIVE PROJECTS Chris Rassiccia chris.rassiccia@opensysmedia.com PROJECT MANAGER Kristine Jennings kristine.jennings@opensysmedia.com FINANCIAL ASSISTANT Emily Verhoeks emily.verhoeks@opensysmedia.com SUBSCRIPTION MANAGER subscriptions@opensysmedia.com CORPORATE OFFICE 1505 N. Hayden Rd. #105 • Scottsdale, AZ 85257 • Tel: (480) 967-5581

REPRINTS WRIGHT’S MEDIA REPRINT COORDINATOR Wyndell Hamilton whamilton@wrightsmedia.com (281) 419-5725

MILITARY EMBEDDED SYSTEMS

www.mil-embedded.com

When failure is not an option, the military counts on rugged COTS from Behlman SUPERIOR RELIABILITY AT UP TO 50% LESS

Behlman has provided reliable power to mission-critical military airborne, shipboard, ground and mobile applications for over 50 years. Behlman offers the widest array of COTS AC to DC and DC to DC power supplies that meet military requirements at industrial pricing. > Proven military reliability without the high cost of full mil-spec > Built to perform to full power at rated temperatures > Modified COTS solutions that offer faster delivery, higher reliability and lower cost than custom designs > Hundreds of designs to meet a wide range of applications

The Power Solutions Provider

: 631-435-0410 : 631-435-0410

: sales@behlman.com : sales@behlman.com

: www.behlman.com : www.behlman.com

EDITOR’S PERSPECTIVE

Avionics and standards By John McHale, Editorial Director Standards and open architectures are driving modern avionics systems, be they military or commercial. They range from safety certification standards to standard form factors to conformance with commonality initiatives such as the Future Airborne Capability Environment (FACE), which enables software commonality across aircraft platforms through common application programming interfaces (APIs). Marc Ayala, director of Fixed Wing Business Development for Collins Aerospace (Cedar Rapids, Iowa) says in our Avionics Issue’s Special Report (starting on page 18) that open systems standards such as FACE and others “are causing many within the industry to rethink investments and business models on the military. As an example, Collins Aerospace recently debuted a software-based FACE-compliant flight management system that can be loaded and run on any conforming processor. It wouldn’t have been possible without the common interfaces established by FACE.” Harris Corp., which is providing an avionics upgrade for the F-35, also considers FACE when designing its systems. “We are designing our avionics software systems to be aligned with HOST [Hardware Open Systems Technologies] and FACE with a foundation based on FACE, while not exactly compliant to FACE at this time,” Bryant Henson, vice president and general manager for Harris Corp.’s Electronic Systems Avionics Business Unit (Melbourne, Florida) told me when I interviewed him for this month’s Special Report. “One area that is conformant to FACE is the FliteScene digital moving map used by the Army, Navy, Marine Corps, Air Force, and Coast Guard on a variety of rotary aircraft. Regarding FACE, we’re an active participant in FACE and continue to bring ideas back to the committees.” Collins Aerospace and Harris are both active in the FACE consortium (run by the Open Group – www.opengroup.org/face). In fact, the roots of FACE can be traced back to the old Common Avionics Architecture System (CAAS) program originally developed by Collins Aerospace for the Army’s Special Operations MH-47 and MH-60 helicopter fleets. It continues today on helicopter platforms in the U.S. and internationally. CAAS uses common hardware components to lower life cycle costs and enable more cost-effective upgrades. FACE does this through software. Both initiatives are effective because what they do – enabling commonality and reuse across multiple platforms through standard interfaces – makes economic sense. Sound familiar? It should if you regularly read this column, because that’s also how I’ve described other similar initiatives such as SOSA, HOST, Modular Open Radio Frequency (RF) Architecture (MORA), etc. These efforts have momentum because they

8 March 2019

MILITARY EMBEDDED SYSTEMS

solve a long-term cost challenge for the Department of Defense and enable timely tech refreshes for electronics platforms – in short, they get warfighters better gear fast enough to make a difference. Also fueling that momentum is the buy-in across the services – Air Force, Army, and Navy – to the efforts. And … as promised, this month we have the first installment of an article detailing that tri-service push: “Development of the next-generation OpenVPX-based embedded system standard: A tri-service convergence of approaches: Part 1 of 3,” on page 36. The authors are Mike Hackert of the U.S. Navy’s Naval Air Systems Command (NAVAIR), the Navy lead for SOSA; and his fellow leads at the Air Force (Dr. Ilya Lipkin, Air Force Life Cycle Management Center [AFLMC]) and the Army (Ben Peddicord, Communications-Electronics Research, Development and Engineering Center [CERDEC]). The article takes us in-depth on the tri-service convergence on a common open architecture through programs such as the Sensor Open Systems Architecture (SOSA), MORA, HOST, VICTORY, etc. and how SOSA has become the umbrella under which they all will operate. “The foci of development for each of these programs has become the SOSA Consortium, which is maintained by The Open Group,” they write. “The end-user community can thus come together and agree upon requirements for their particular applications.” The concept of reuse in software also affects safety certification standards. Now, although military aircraft are not required to abide by Federal Aviation Administration certification standards such as DO-178 and DO-254, they often do per customer requirements. “Military avionics customers have their own certification requirements and authorities,” says Gary Gilliland, technical marketing manager for DDC-I Inc. (Phoenix, Arizona) in our Mil Tech Trends article on page 26. “These requirements have not typically been as rigorous as DO-178C processes but are converging rapidly. Additionally, there is a strong push for reuse of software across military organizations utilizing the architectures such as defined by the FACE standard. Commercial customers are only concerned about reuse within their own organization.” Reuse, certification, and satellite navigation for commercial aircraft will also be topics of discussion at Aerospace Tech Week (the show was formerly called Aviation Electronics Europe), held mid-March in Munich, Germany. Full disclosure: I serve on the advisory committee for the event, and MES partners with them on our Avionics Design e-newsletter. For more information, visit www.aerospacetechweek.com. www.mil-embedded.com

MILITARY AND AEROSPACE INTERCONNECT AT THE READY

From high-volume production, to low-volume customized products, MilesTek is your source for military, aerospace, communications and industrial interconnect solutions. With quick turnaround and same-day shipping from our stock of more than 10,000 highly reliable products, MilesTek is at the ready to help meet your project deadlines.

The MilesTek Advantage: • Large In-Stock Inventories • Same-Day Shipping • Prototype Development • CAD Design Capabilities • Multiple Testing Solutions • Expert Technical Support

• AS9100 Certified • SO 9001:2008 Registered

866-524-1553 • MilesTek.com

CYBERSECURITY UPDATE

Is the military ready for AI to help make decisions on the battlefield?

By Sally Cole, Senior Editor

A study found that less-than-competent users of artificial intelligence (AI) on the battlefield – presumably those who would need that AI boost most of all – are actually the least likely to be swayed by rational justifications, even with AI thought to be infallible. Think of it akin to: If you thought you knew the way to a destination, would you still use GPS? U.S. Army scientists set out to determine whether or not AI, which can seem opaque or be frustrating for some people to use, will be helpful for making decisions on the battlefield. This project – run by Army scientists and University of California at Santa Barbara researchers – attempted to test the theory that many people trust their own abilities far more than a computer, which can affect their judgment when making decisions under pressure. “The U.S. Army continues to push the modernization of its forces, with notable efforts like the development of smartphone-based software for real-time information delivery such as the Android Tactical Assault Kit (ATAK), and the allocation of significant funding toward researching new AI and machinelearning methods to assist command-and-control personnel,” says Dr. James Schaffer, scientist for RDECOM’s Army Research Laboratory, the Army’s corporate research laboratory (ARL), at ARL West in Playa Vista, California. Despite these advances, there’s still a significant gap in basic knowledge about the use of AI and whether AI will help or hinder military decision-making processes. The researchers constructed an abstract experiment similar to the iterated Prisoner’s Dilemma, a game in which players must choose to cooperate with or defect against their co-players in every round in order to control all relevant factors. An online version of the game was developed, in which players obtain points by making good decisions in each round. In the game, AI is used to generate advice in each round, which appears alongside the game interface; the “advisor” makes a suggestion about which decision the player should make. For the game, the researchers designed an AI that always recommends the optimal course of action. But similarly to real life, players must actually opt to access the AI’s advice manually – just as a user must manually switch on GPS – and the players know that they are free to accept or ignore the AI’s suggestions. The researchers also presented different versions of this AI: Some were deliberately inaccurate, some required game

10 March 2019

MILITARY EMBEDDED SYSTEMS

information to be entered manually, and some justified their suggestions with rational arguments. All variations of these AI treatments were tested so that interaction effects between AI configurations could be explored. People were invited to play the game online and researchers collected a profile of each player and monitored their behavior. The researchers asked each player about their familiarity with the game, while also measuring their true competency. A test was also given halfway through playing to measure awareness of gameplay elements. “What we discovered might trouble some advocates of AI,” Schaffer says. “Two-thirds of the human decisions disagreed with the AI, regardless of the number of errors in the suggestions.” The greater the player estimated their familiarity with the game beforehand, the less they used AI – an effect that was still observed when controlling for the AI’s accuracy. This result suggests that improving a system’s accuracy won’t increase system adoption within this population. “This might be a harmless outcome if these players were really doing better, but they were in fact performing significantly worse than their humbler peers who reported knowing less about the game beforehand,” Schaffer explains. “When the AI attempted to justify its suggestions to players who reported high familiarity with the game, reduced awareness of gameplay elements was observed – a symptom of overtrusting and complacency.” Despite these findings, a corresponding increase in agreement with AI suggestions wasn’t observed. This result presents a problem for system designers: incompetent users need AI the most, but are the least likely to be swayed by rational justifications. Ironically, incompetent users were also the most likely to say that they trusted the AI, which was studied through a postgame questionnaire. “This contrasts sharply with their observed neglect of the AI’s suggestions, demonstrating that people aren’t always honest or may not always be aware of their own behavior,” Schaffer says. This work shows that while AI may enhance military decisions on the battlefield in the future, ongoing issues regarding its usability remain, despite continued advances in AI accuracy, robustness, and speed. “Rational arguments have been demonstrated to be ineffective on some people, so designers may need to be more creative designing interfaces for these systems,” Schaffer notes. www.mil-embedded.com

TECHNOLOGY UPDATE

T-X trainer aircraft en route to replace the 57-year-old T-38C Talon for USAF By Mariana Iriarte, Technology Editor Train like you fight – the U.S. military’s training motto – pushes U.S. Department of Defense planners to provide the technology that enables pilots, sailors, maintainers, etc. to be able to perform their duties as if they were second nature. The current deployment of 4th- and 5th-generation fighter aircraft – all loaded with cutting-edge avionics, sensors, and smart weapons – requires modernized embedded training systems to properly simulate aircraft operations and functionality for training. An example of this is the U.S. Air Force’s T-X advanced jet trainer program, launched in late 2018. The Boeing/Saab T-X fighter jet will train pilots to fly 4th- and 5th-generation jets using the latest cutting-edge technology, including embedded training systems and smart weapons.

›

The Air Force plans to purchase 351 T-X aircraft and 46 simulators, as well as associated ground equipment, with the goal of replacing the venerable T-38C Talon supersonic jet trainer (Figure 1), which has been in service for 50-plus years.

Figure 1 | A T-38C Talon used primarily by Air Education and Training Command for undergraduate pilot and pilot instructor training. Photo: U.S. Air Force/Steve White.

The Air Force also has the option to purchase as many as 475 aircraft and 120 simulators, making this a big moneymaker for Boeing, Saab, and its subcontractors. The first trainer and simulator are expected to arrive in 2023, at which point undergraduate pilots will transition to training on the T-X platform. “Cockpit and sensor management are fundamentally different today in 4th- and 5th-generation aircraft than it was when the T-38 was built in 1961,” says Brig. Gen. Dawn Dunlop, the director of plans, programs and requirements at Air Education and Training Command, in an Air Force news release. “While the T-38 has been upgraded to a glass cockpit, the inability to upgrade the T-38’s performance and simulated sensor capability presents a growing challenge each year to effectively teach the critical skills essential to today’s military pilots.” Aging technology in military systems is arguably the most dangerous of threats. Dunlop’s notes that “12 of 18 advanced pilot training tasks can’t be completed with the T-38, relying on fighter and bomber formal training units to complete the training at a much greater cost.” “This new aircraft will provide the advanced training capabilities we need to increase the lethality and effectiveness of future Air Force pilots,” says Heather A. Wilson, secretary of the Air Force, upon the announcement of the T-X program. “Through competition we will save at least $10 billion on the T-X program.” Boeing and Saab teamed up to deliver a design that addresses both the aging technology on the T-38C and the cost of constant retrofits and upgrades. Boeing and Saab documents describe the T-X aircraft as sporting one engine, twin tails, stadium seating, and an advanced cockpit with embedded training. (Figure 2.) General Electric, Collins Aerospace, and Triumph are among those companies subcontracted to produce the T-X. General Electric (Boston, Massachusetts) provides the GE F404 engine for the program: “The F404s will replace another GE engine, the J85, which was used on the previous generation of T-X trainers,” according to an October 2018 story in GE Reports. “Designed in the late 1950s, the J85 was the first small turbojet to operate with

12 March 2019

MILITARY EMBEDDED SYSTEMS

›

Figure 2 | T-X Trainer aircraft. Photo: Boeing.

an afterburner and was also the first GE engine with a variable-exhaust nozzle. In the early 1960s, a commercial variant of the engine powered the first Learjets, a family of pioneering private jets for business executives.” Collins Aerospace (Cedar Rapids, Iowa), a United Technologies Corp. business unit, will provide the ACES 5 ejection seat that provides pilots with passive head and neck protection. The ACES 5 also has arm- and leg-flail prevention, as well as a load-compensating catapult rocket. Collins will also supply the aircraft’s landing gear system. While Saab is responsible for the aft fuselage and associated subsystems, it will rely on Triumph Group (Berwyn, Pennsylvania) for design, development, manufacture, and support for the aircraft mounted accessory drives (AMAD) and hydraulic systems. Full operational capability for the T-X fleet is expected by 2034. www.mil-embedded.com

You Engineer the Future. We’ll Supply the Components... Today!

Largest Selection p Same-Day Shipping p Expert Technical Support p Armed with the world’s largest selection of in-stock, ready to ship RF components, and the brains to back them up, Pasternack Applications Engineers stand ready to troubleshoot your technical issues and think creatively to deliver solutions for all your RF project needs. Whether you’ve hit a design snag, you’re looking for a hard to find part or simply need it by tomorrow, our Applications Engineers are at your service. Call or visit us at pasternack.com to learn more.

866.727.8376 Pasternack.com

MIL TECH INSIDER

Protecting top-secret data with NSA-approved COTS encryption By Paul Davis An industry perspective from Curtiss-Wright Defense Solutions Type 1 products, certified by the National Security Agency (NSA) to cryptographically secure classified U.S. government information, use approved NSA algorithms. These controlled products are designed to NSA standards and certified by the NSA through a rigorous and often very lengthy evaluation process. In response to the ever-increasing need to protect deployed data-at-rest (DAR), the NSA/Central Security Service (NSA/CSS) has created the Commercial Solutions for Classified (CSfC) Program, which provides a new path for protecting critical and sensitive data in deployed systems. The CSfC Program enables the use of commercial data protection in layered solutions to protect classified National Security Systems (NSS) data. The program, an alternative approach to Type 1 encryption, was developed to accelerate the protection of top-secret data. It defines an approach for protecting critical data using two layers of commercial encryption. In many cases, system integrators considering a Type 1 approach may be pleasantly surprised to find that their application can instead use this significantly faster and less costly two-layered commercial off-theshelf (COTS) CSfC approach. The CSfC approach makes it faster and more cost-effective than ever before for system designers to deploy a solution with approved encrypted data protection. In fact, it reduces the certification process to just a matter of months and a fraction of the cost when compared to the multiple years and millions of dollars typically required previously. The CSfC approval process To achieve NSA approval and placement on the CSfC Components List, the COTS-based encryption components must undergo Common Criteria (CC) evaluation by the National Information Assurance Partnership (NIAP). NIAP was

14 March 2019

created by the NSA and National Institute of Science and Technology (NIST) to evaluate commercial encryption components for inclusion in CSfC solutions. The CC validates COTS information technology products to ensure conformance to the international Common Criteria Evaluation and Validation Scheme (CCEVS), which is recognized around the world by 17 Certificate Producing countries and by 11 Certificate Consuming countries. Once that CC process is formally underway, the COTS component vendor must establish a Memorandum of Agreement (MOA) with the NSA. NIAP ensures that commercial products meet NSA standards for security by testing the products in certified labs against stringent security standards called collaborative protection profiles. NIAP oversees U.S. implementation of the CC certification of commercial IT products for use in national-security systems. The benefits of being on the CSfC component list The CSfC component list enables system integrators to identify products that are in evaluation, or are already certified, that can be used in a data-protection solution. System integrators then apply to the NSA identifying the proposed product from the Component List and the application details. This approach enables system integrators to begin developing and testing their data- security architecture today. With leading COTS suppliers investing in the development and certification process, solution integrators will find a great reduction in program cost, risk, and schedule for protecting critical deployed DAR. An approved COTS solution for CSfC Data-at-Rest protection In a recent example, Curtiss-Wright completed the Common Criteria certification process for its Data Transport System (DTS1) Network Attached Storage (NAS) device, which is designed to support two layers of full disk encryption (FDE)

MILITARY EMBEDDED SYSTEMS

›

Figure 1 | The DTS1 NAS device is designed for use in unmanned aloft, ground, or underwater vehicles that must protect data-at-rest.

in a single device. The small unit, which weighs only three pounds, stores as much as 4 TB of solid-state storage (SSD) with two layers of certified encryption. The small-form-factor data recorder – aimed at use on helicopters, unmanned aerial vehicles (UAVs), unmanned underwater vehicles (UUVs), unmanned ground vehicles (UGVs), and intelligence/surveillance/ reconnaissance (ISR) aircraft that require the protection of sensitive DAR – uses commercially available CNSA (formerly Suite B) cryptographic algorithms. (Figure 1.) The unit was designed with NSA’s DAR Capability Package as a template and is based on the hardware and software FDE solution approach. Having received CC certification, both the hardware and software FDE layers are now currently listed on the United States NIAP Product Compliant List. Additionally, the two encryption layers are now listed on the NSA’s CSfC Components List and can be proposed as a DAR solution. Selecting a preapproved device from the CSfC Components List enables system architects to greatly reduce the time and cost needed to design a COTS encryption solution, enabling them to begin system development immediately and greatly reducing their program risk. Paul Davis is Director, Product Management – Data Solutions, for Curtiss-Wright Defense Solutions. Curtiss-Wright Defense Solutions www.curtisswrightds.com www.mil-embedded.com

WE NEVER FORGET THOSE WHO SERVE Inside the helmet, someone is relying on us We develop advanced technologies and, working with our partners, help give our warfighters the competitive advantage that will keep them safe. We know that fathers, mothers, husbands, wives, sons and daughters depend on us. Yes: for us, it’s personal... abaco.com/we-serve

abaco.com

@AbacoSys

WE INNOVATE.

DEFENSE TECH WIRE NEWS | TRENDS | DOD SPENDS | CONTRACTS | TECHNOLOGY UPDATES By Mariana Iriarte, Technology Editor NEWS

U.S. Navy signs $2.4 billion P-8A Poseidon contract with Boeing

Charles River Analytics creates tool to help AI communicate effectively with humans

Boeing signed a $2.4 billion production contract with the U.S. Navy for the development of the next 19 P-8A Poseidon aircraft.

Charles River Analytics has created a tool it calls the Causal Models to Explain Learning (CAMEL) approach under the Defense Advanced Research Projects Agency’s (DARPA) Explainable Artificial Intelligence (XAI) effort.

The contract includes 10 aircraft to add to the current inventory of P-8As in the U.S. Navy fleet, the five jets currently under contract for Norway, and the four aircraft remaining in its existing contract with the U.K. The U.K. and Norway are acquiring the Boeing aircraft through the foreign military sales (FMS) process; under that FMS agreement, both countries will receive a variant of the P-8A designed and produced for the U.S. Navy called the P-8A Poseidon. The U.K. will receive its first aircraft in 2019, while Norway will begin receiving aircraft in 2021.

Under DARPA’s XAI effort, Charles River Analytics led a team that included Brown University, the University of Massachusetts at Amherst, and Roth Cognitive Engineering. The team developed probabilistic causal modeling techniques and an interpretive interface that enable users to naturally interact with machines. The goal of the CAMEL approach is to help artificial intelligence (AI) effectively communicate with human teammates, actually simplifying explanations of how these complex, deep learning machines work. These rationales, say DARPA officials, are vital to effective interpretation and application of recommendations by AI instruments.

HHI garners $15.2 billion multiship contract to build Ford-class aircraft carriers U.S. Navy officials modified an existing contract with Huntington Ingalls Industries’ (HHI) Newport News Shipbuilding division for a multiship contract valued at $15.2 billion. HHI will design and construct two Gerald R. Ford-class aircraft carriers designated Enterprise CVN 80 and CVN 81. Figure 1 | The U.S. Navy awarded Boeing a $2.4 billion production contract for the next 19 P-8A Poseidon aircraft. Photo courtesy of Boeing.

UAS developer Aeryon Labs Inc. acquired by FLIR Systems A Canadian developer of unmanned aerial systems (UAS), Aeryon Labs Inc., has been acquired by FLIR Systems, Inc. for $200 million.

This contract modification comes after previous contract awards for the advance procurement and advance fabrication of Enterprise, starting in May 2016. The construction of Enterprise CVN 80 and CVN 81 will be completed at the company’s Newport News Shipbuilding division; the ships are scheduled to be delivered in 2028 and 2032, respectively. To support the contract, the company says that it is making an investment in facilities and will continue its digital-transformation efforts.

Based in Waterloo, Canada, and with offices in Denver and Salt Lake City, Aeryon Labs was founded in 2007 and is a designer and manufacturer of mission-focused Group 1 UAS solutions built around aircraft under 20 pounds. Aeryon’s different UASs are deployed by 20 militaries in over 30 countries around the world, including by the U.S. Department of Defense. Aeryon Labs is now part of the FLIR Government and Defense Business Unit’s Unmanned Systems and Integrated Solutions division. The transaction is expected to be $0.02 dilutive to FLIR Systems’ 2019 earnings due to anticipated product- development investments, and accretive thereafter.

16 March 2019

MILITARY EMBEDDED SYSTEMS

Figure 2 | Gerald R. Ford (CVN 78) aircraft carrier arrives at Newport News Shipbuilding. Photo courtesy of Huntington Ingalls Industries.

www.mil-embedded.com

NEWS

Avionics from Collins Aerospace will ride on NASA’s QueSST demonstrator aircraft

C4ISR and control systems on U.S. Coast Guard cutters to come from Northrop Grumman

Lockheed Martin has chosen Collins Aerospace to provide avionics for NASA’s new X-59 Quiet Supersonic Technology (QueSST) aircraft. Lockheed Martin is developing the X-59 in order for NASA to collect data that could make supersonic commercial travel over land possible through low-sonic-boom technology.

Northrop Grumman Corp. won production and long lead time materials (LLTM) contracts for the U.S. Coast Guard (USCG) Offshore Patrol Cutter (OPC) C4ISR [command, control, communications, computers, intelligence, surveillance, and reconnaissance] and control systems, in concert with Eastern Shipbuilding Group (ESG). Northrop Grumman will produce C4ISR and control systems for the lead OPC, USCGC Argus; and will procure LLTM for these systems on the second OPC, USCGC Chase.

Under the agreement, Collins Aerospace – a unit of United Technologies Corp. – will provide developmental engineering support to tailor its Pro Line Fusion avionics to the specific requirements of the X-59. As the companies jointly develop software applications side-by-side, it is hoped that the efforts will result in an optimized solution which will include Collins’s touchscreen primary flight displays with tailored multifunction windows, head-up display (HUD) symbology, synthetic vision, ARC-210 communication radios, and a suite of navigation and surveillance equipment. Lockheed Martin will institute a System Integration Lab for the Pro Line Fusion avionics at its Palmdale, California, facility. Collins will additionally provide a dual multispectral enhanced vision system (EVS-3600), due to the unique shape of the QueSST aircraft.

Northrop Grumman’s part in building the OPC platform include the integrated bridge, navigation, command and control, computing network, data distribution, machinery control, and propulsion control systems. It will perform C4ISR system integration at the Northrop Grumman OPC test and integration facility in Charlottesville and control systems integration at its Charlottesville land-based test facility.

Navy radar tracks ballistic missile in test The U.S. Navy reports the Raytheon-built AN/SPY-6(V)1 Air and Missile Defense Radar (AMDR) tracked a ballistic-missile target, completing final development flight tests. During the “Vigilant Nemesis” flight test, the short-range ballistic-missile target was launched from the Pacific Missile Range Facility (Kauai, Hawaii). The AN/SPY-6(V)1 AMDR searched for, detected, and maintained track on the target. This was the final in a series of flight tests for the AN/SPY-6(V)1. Based on preliminary data, the test successfully met its primary objectives, say Navy officials say; they will continue to evaluate system performance based upon telemetry and other data obtained during the test. The radar is on schedule for delivery to the Navy’s first modernized DDG 51 Flight III, the future USS Jack H Lucas (DDG 125), in 2020.

Figure 3 | The X-59 is expected to take its first flight in 2021. Image courtesy of Lockheed Martin.

QinetiQ and U.S. Army sign contract for $90 million to support robotic systems QinetiQ North America (QNA) has signed a $90 million indefinite delivery/indefinite quantity (ID/IQ) contract to support the overall sustainment actions of the Tactical Adaptable Light Ordnance Neutralization (TALON) family of robotic systems for the U.S. Army. QNA will be providing ongoing maintenance, upgrades and servicing of the Army’s existing fielded fleet of TALON robots, which are used primarily to assist military personnel with the extremely dangerous job of detecting and disabling roadside bombs or improvised explosive devices (IEDs) planted by hostile forces to attack troops. Parts production under the contract – which has an expiration date of December 2023 – will be performed in Franklin, Massachusetts. www.mil-embedded.com

Figure 4 | The AN/SPY-6(V) radar. Photo courtesy of Raytheon.

MILITARY EMBEDDED SYSTEMS

March 2019 17

Special Report MILITARY AVIONICS UPGRADES

Military aircraft avionics face new data-processing and security demands By Sally Cole, Senior Editor and John McHale, Editorial Director A few trends are emerging in military aircraft avionics – including a continued push toward large touch-screen displays, as well as a migration to multicore processing, open architectures, and a new focus on improving cyber resilience. The F-35A Conventional Takeoff and Landing variant is an agile, versatile, high-performance 9-g multirole fighter. The platform’s avionics system will be upgraded with a new Integrated Core Processor as part of an open architecture design. Lockheed Martin photo by Liz Lutz.

Open architecture designs are a standard requirement these days for military aircraft platforms undergoing avionics upgrades and tech refreshes to their flight systems. Open architecture design is needed in all platforms, from aging craft like as the C-130 or F-16 all the way up to the 5th-generation fighters like the F-35. From the display to the processor to the moving map, open architecture designs that embrace common standards have become the rule rather than the exception. The F-35’s latest tech refresh program is a perfect example of the open architecture approach. “The key to winning the F-35 avionics contract was our open systems architecture

18 March 2019

approach,” says Bryant Henson, vice president and general manager for Harris Corporation’s Electronic Systems Avionics Business Unit (Melbourne, Florida). “We’ve embraced open systems architectures at Harris, and our next-gen Integrated Core Processor (ICP) is a perfect example of that. We standardized the interfaces, components, and cards for the computer. We also purposely made the ICP processor- card-agnostic, so that future refreshes aren’t locked into one provider and we can easily and cost-effectively upgrade the computer, chassis, or the processor. That’s how we’re driving capability while reducing size, weight, power (SWaP), and cost. “We are aggressively pursuing cost reduction across the F-35 enterprise and, after conducting a thorough review and robust competition, we’re confident the next generation [ICP] will reduce costs and deliver transformational capabilities for the warfighter,” says Greg Ulmer, Lockheed Martin vice president and general manager of the F-35 program in a Lockheed Martin release. The ICP “ will have positive benefits for all customers in terms of life cycle cost, capability, reliability, and more,” he adds. Harris “also invested heavily in high-density electronic packaging for the cards and efficient thermal-management techniques – specifically a liquid-cooled chassis that houses the ICP and an air-cooled solution for the panoramic cockpit display,” Henson adds.

MILITARY EMBEDDED SYSTEMS

www.mil-embedded.com

›

Figure 1 | The Panoramic Cockpit Display (PCD) Electronic Unit from Harris Corporation controls the PCD and also functions as the backup computer for the aircraft. Photo courtesy of Harris Corporation.

Open architecture initiatives A key force behind open architecture developments in avionics has been the Future Airborne Capability Environment (FACE) Consortium, an aviation-focused group comprised of industry suppliers, customers, and users working to create an open architecture, standards, and business model geared toward helping speed new capabilities to warfighters faster. All three services – Air Force, Army, and Navy – are also involved.

Open architectures will make tech refreshes on the F-35 and other platforms much more efficient down the road. Harris has increased its content on the F-35 through a Technology Refresh 3 (TR3) modernization effort by providing – in addition to the ICP – the advanced memory system and the electronics behind the panoramic cockpit display, he continues. “The ICP essentially acts as the brains of the F-35 –processing data for the aircraft’s communications, sensors, electronic warfare, guidance and control, as well as cockpit and helmet displays. The computer operating the display also functions as the backup computer for the aircraft.” (Figure 1.) “For the F-35 avionics program, we’re providing more than 1,700 different components, including network-interfaced units, power supplies, integrated chassis that support communication, navigation, computer processing, and a multifunction advanced data link that enables the aircraft to communicate covertly,” Henson says. Thanks to the open architecture approach, Henson says the next-gen ICP system is targeted to generate a 75 percent reduction in unit cost compared to the current system, as well as a 25-time increase in computing power to support planned capability enhancements, greater software stability, higher reliability, and increased diagnostics that result in lower sustainment costs. www.mil-embedded.com

As an open avionics standard, FACE makes military computing operations more robust, interoperable, portable, and secure. It’s designed to enable developers to create and deploy a wide catalog of applications for use across the entire spectrum of military aviation systems through a common operating environment. Software is playing “an increasing role, which generally represents the most complex part of development programs,” says Marc Ayala, director of Fixed Wing Business Development for Collins Aerospace (Cedar Rapids, Iowa). “In the old days, if you wanted a new capability added to your aircraft, it usually meant the addition of a new box. Today, many capabilities can be added by adjusting software without any hardware changes.” Open systems standards such as FACE and others “are causing many within the industry to rethink investments and business models on the military market,” he adds. “As an example, Collins Aerospace

MILITARY EMBEDDED SYSTEMS

March 2019 19

Special Report recently debuted a software-based FACE-compliant flight management system that can be loaded and run on any conforming processor. It wouldn’t have been possible without the common interfaces established by FACE.” At Harris “we are designing our avionics software systems to be aligned with HOST [Hardware Open Systems Technologies] and FACE with a foundation based on FACE, while not exactly compliant to FACE at this time,” Henson says. “One area that is conformant to FACE is the FliteScene digital moving map used by the Army, Navy, Marine Corps, Air Force, and Coast Guard on a variety of rotary aircraft. Regarding FACE, we’re an active participant in FACE and continue to bring ideas back to the committees.

Boeing completes NATO E-3A fleet upgrade with digital cockpits Boeing has delivered the final E-3A Airborne Warning and Control System (AWACS) aircraft – modernized with avionics and a digital cockpit – to NATO. This delivery marks the completion of an upgrade of a fleet of 14 planes and ensures that NATO AWACS is in compliance with air-traffic-control and navigation requirements. The AWACS avionics upgrades – a $257 million modernization project begun back in 2016 – include five full-color digital glass displays in each aircraft, replacing 1970s-era dials, which provide crew members with customizable engine, navigation, and radar data. These upgrades improve the handling and transfer of information, extend surveillance, and heighten navigational accuracy, which is required for operating within regions of everincreasing airspace congestion, as well as for mastering increasing challenges posed by diminishing manufacturing sources. “The Communication Navigation Surveillance/Air Traffic Management (CNS/ATM) modernization project enables the NATO E-3A fleet to meet current and foreseen European air-trafficmanagement requirements,” says Brigadier General Mike Hain, general manager of the NATO Airborne Early Warning and Control Programme Management Agency (Brunssum, The Netherlands). The first modernized NATO AWACS plane was modified at Boeing facilities in Seattle, Washington, in November 2016, while the remaining 13 underwent modernization work in Manching, Germany.

MILITARY AVIONICS UPGRADES

The Sensor Open Systems Architecture (SOSA) Consortium is working to create open system reference architectures applicable to military and commercial sensor systems. These architectures use modular design and widely supported, consensus-based nonproprietary standards for key interfaces. “Regarding SOSA, our electronic warfare business is following it closely, but we go to market as a corporation and look at ways to leverage our business investment across our business units – including avionics, electronic warfare, and others,” explains Henson. “We’re adding multifunctionality to every design as we reduce SWaP and increase performance through investments across multiple domains. The open architecture approaches and concepts that come out of SOSA, FACE, and other initiatives enable multifunctionality, and we leverage them across Harris regardless of application.” Harris tries to push multifunctionality into every solution it designs because “reducing SWaP is a high priority for every aircraft platform,” explains Henson. “By adding multifunctionality in the smaller electronic footprint, you enable not only easier upgrades but more efficient integration of new capabilities such as better anti-jam technology. Open architectures make all of this possible and affordable in the long term.” It also makes it easier, Henson notes, to solve future problems and deploy the technology to warfighters faster. “One example is improving protected communications, because that’s what wins the game – resilience and protected communications,” he says.

›

Sidebar Figure 1 | Boeing delivered the final AWACS plane modernized with avionics and a digital cockpit. Image courtesy of NATO.

20 March 2019

MILITARY EMBEDDED SYSTEMS

Security in flight systems An emerging trend is a focus on security. “While not always a requirement in programs, we’ve made security an important part of our open systems architectures at Harris,” says Henson. “We started to standardize on these interfaces, using COTS [commercial off-the-shelf] technology and spending the time to overcome the challenge through high-speed cryptography. We’ve also invested in multi-level security – MILS [multiple independent levels www.mil-embedded.com

[FACE IS] DESIGNED TO ENABLE DEVELOPERS TO CREATE AND DEPLOY A WIDE CATALOG OF APPLICATIONS FOR USE ACROSS THE ENTIRE SPECTRUM OF MILITARY AVIATION SYSTEMS THROUGH A COMMON OPERATING ENVIRONMENT.

A secondary trend, Ayala adds, is the analysis of large amounts of data driving migration to multicore. Processing demands and cyber resilience are next in driving inclusion of multicore processors: “Certification of multicore processors in avionics will be something every integrator will deal with.” “The military isn’t required to abide by FAA safety certification standards such as DO-178C [Software Considerations in Airborne Systems and Equipment] or DO-254 [Design Assurance Guidance for Airborne Electronic Hardware], but we need to provide a path to compliance if a customer chooses to certify to it,” Harris’s Henson says. “At that point, it’s a matter of being resolved at the design and testing level.” One primary difference between military and civilian aircraft avionics “is the qualification to more stringent military environmental standards such as sand, extreme temperatures, EMI, and salt fog,” Ayala points out. “A secondary effect surrounds the addition of specialized mission functions such as weapons targeting and surveillance sensors.” MES

of security] and MLS [multilevel security]. Some customers have specific security requirements but, in general, we look at where the marketplace is going with our crypto solutions based on a certified architecture.” Many military aircraft avionics systems rely on COTS components today, primarily for cost savings and convenience. But is a shift away from COTS likely to ensure that parts are made in the U.S. because of security concerns? Maybe. “In certain markets, such as a commercial-derivative aircraft where civil certification is a requirement, COTS is a perfect fit,” Ayala says. “For other more specialized missions, COTS products serve as a baseline to start from. Due to mission requirements, COTS products are often tweaked to meet the mission but, by doing so, our customers see a dramatic reduction in development and integration cost. As processing huge amounts of sensor data and cyberdefense programs running in the background become more prevalent, we may see a departure from the traditional COTS model into more of a military off-the-shelf (MOTS) model where manufacturers carry two different product lines – one for commercial and one for military.” Trends in avionics displays On the avionics display front, the primary trends are, not surprisingly, still “large format and touch screen,” Ayala says. “Many flight decks are migrating to three or four large displays, and pilots are becoming increasingly familiar with touch screen as the human machine interface.” www.mil-embedded.com

YOUR SOLUTION PROVIDER FOR...

CONNECTIVITY | POWER | CONTROL

SCS750G4 with SpaceWire & NAND Flash!

. : 990. ?0/ Single Board Computers for Space Proven Reliability

• Proven in space: TRL-9 • Utilized in critical missions for more than 15 years, our single board computers have had zero failures! • 1 in 80 year board level SEE rate (GEO) • TID > 100krad(Si); SEL immune

Optimized Performance • Seamless error correction, incorrect transactions never generated • S/W controlled Speed/Power: 200-1800 MIPS; 7-30W typical • Up to 64GB of Error-corrected high-density NAND Flash, SDRAM and EEPROM • cPCI; MIL-STD-1553, serial/parallel, and SpaceWire interfaces

YEARS OF SERVICE

Meet us at... Booth# 1432 Colorado Springs, CO April 8-11, 2019

To learn more, visit www.ddc-web.com/SCS750/MES

E-mail: appointment@ddc-web.com

D ATA D E V I C E C O R P O R AT I O N MILITARY EMBEDDED SYSTEMS

March 2019 21

Special Report MILITARY AVIONICS UPGRADES

Common Weakness Enumeration (CWE) defines cybersecurity vulnerability landscape for mission-critical applications By S. Tucker Taft

The Common Weakness Enumeration (CWE), a category system for software weakness and vulnerability, is now in use to provide a common vocabulary for source-code analysis tools for those developing mission-critical embedded systems. Some distinct groupings of CWE items – such as those that are associated with general coding practices – are focused on security-specific parts of a software system, including authentication and encryption, and those that can be mitigated through appropriate choice of programming languages or tools. A recent decision was made to include a “Common Quality Enumeration” within the framework of CWE that would generalize its applicability to all kinds of software weaknesses, not strictly those that relate to cybersecurity. Laying out the CWE The Common Weakness Enumeration (CWE, at http://cwe.mitre.org) has emerged as a de facto reference resource to every security-conscious developer of missioncritical embedded systems. The CWE is a categorization of all known cybersecurity vulnerabilities into a single, systematically numbered list, with the most recent version (version 3.2, from January 2019) containing just over 800 weaknesses, and almost 1,200 total items. The CWE grew out of a project by the MITRE Corporation (Bedford, Massachusetts and McLean, Virginia) to characterize and summarize the growing Common Vulnerabilities and Exposures (CVE) list; MITRE also maintains the CVE list in conjunction with the National Vulnerabilities Database (NVD) maintained by the National Institute of Standards and Technology (NIST). The CVE and the NVD together log every publicly known cybersecurity vulnerability and exposure incident, going back to 1999. The CWE attempts to group the cyber security vulnerabilities and exposure incidents into distinct categories so as to provide a common vocabulary for tools, cybersecurity experts, and the overall mission-critical software development community. In version 3.2, an effort has been made to include more general quality weaknesses, which originated in the CQE (Common Quality Enumeration) project. These kinds of weaknesses do not directly relate to security issues, but can nevertheless cause major problems during the life cycle and can often be detected by the same kinds of tools that detect security-focused weaknesses.

22 March 2019

MILITARY EMBEDDED SYSTEMS

The CWE is being used in various contexts, but perhaps the most important is in connection with source-code analysis tools. Historically, each such tool has had its own specific vocabulary, all of which had potentially confusing or ambiguous descriptions of precisely what sorts of software problems it is designed to detect. With the emergence of the CWE, however, many source-code analysis tools have begun to identify the problems they detect using the associated unique CWE identifier. Using the CWE, this shared vocabulary enables results from multiple tools to be combined and compared in a meaningful way. Even using a common terminology, there are advantages to being able to use multiple tools, because different tools tend to have different strengths when it comes to detecting potential source-code defects. www.mil-embedded.com

fundamental CWEs (such as CWE-120), additional sections are provided, such as Modes Of Introduction, Applicable Platforms (typically the programming languages where the weakness is more prevalent), Common Consequences, Likelihood Of Exploit, and Potential Mitigations. The mitigations section will identify languages or platforms where the weakness is unlikely to occur, as well as software development or deployment practices that will reduce the likelihood of exploit in environments where the weakness is not automatically prevented by the language or platform used. In addition to universal weaknesses, such as buffer overflow and its related dangers, there are weakness that are more application-specific, depending on the nature of the application. For example, appropriate use of authentication and authorization might not be relevant for an application that is not accessible outside a physically secure location. CWE-284, Improper Access Control, addresses this particular application-specific area of weakness (Table 2 on next page). CWE-120: Buffer Copy without Checking Size of Input (“Classic Buffer Overflow”) Weakness ID: 120 Abstraction: Base, Structure: Simple Description: The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. Extended Description: A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold, or when a program attempts to put data in a memory area outside of the boundaries of a buffer. The simplest type of error, and the most common cause of buffer overflows, is the “classic” case in which the program copies the buffer without restricting how much is copied. Other variants exist, but the existence of a classic overflow strongly suggests that the programmer is not considering even the most basic of security protections.

›

Table 1 | CWE-120.

CWE examples The CWE is best illustrated by examples. When first looking at the CWE, it is often helpful to distinguish different sorts of weaknesses. Some we could call universal in that they are of concern in any and every application, such as a buffer overflow (CWE-120). Essentially all programs work with tables or arrays or strings of characters, and for all such programs, attempting to put more into the table, array, or string than it can hold is certain to create problems, either immediately if the language catches such attempts with a run-time check, or eventually if the data that is corrupted by such a buffer overflow is used as input to some later phase of the computation. The entry on http://cwe.mitre.org for CWE-120 is as follows (Table 1). In addition to CWE-120, there is a set of related weaknesses that deal with indexing into an array-like structure outside the bounds of the array. A search on the CWE website for “array out of bounds” produces a list of relevant CWE entries, which include more than just the description of the weakness: They also include examples to illustrate the weakness in those programming languages where it is not detected automatically by compile-time or run-time checks. Furthermore, in the entry for some of the more www.mil-embedded.com

As with buffer overflow, there is a set of other CWE entries that focus on specific elements of this general area of weakness. A search on the CWE website for “authentication and authorization” produces a list of examples. Although such application-specific CWEs might not be relevant to all systems, the proportion of systems with external connections is growing every day. Military systems that used to be only accessible to the pilot, for example, are now being networked to improve coordination and situational awareness. Even though the other systems in the network might themselves be secure, the possibility of interference with communication is always there. Even these purely computer-to-computer connections may require authentication and authorization, to avoid spoofing or corruption by unfriendly parties. The bottom line is that a growing proportion of the formerly application-specific CWEs are becoming more universal in their relevance. As mentioned above, a new group of CWE entries, just added in CWE version 3.2, is not as directly related to security, but is still relevant to the construction and

MILITARY EMBEDDED SYSTEMS

March 2019 23

Special Report evolution of robust mission-critical embedded systems. This group, derived from an experimental Common Quality Enumeration (CQE) built several years ago, includes CWE entries such as CWE-1041, Use of Redundant Code (Table 3). As indicated in the table’s Extended Description, duplicate copies of the same code can seriously affect maintenance and evolution of a system. This is also a universal quality and maintainability issue, and in fact does occur in almost every system, independent of programming language or development process. There is even a threeletter-acronym devoted to this issue: DRY – Don’t Repeat Yourself! The duplication of code is in some ways the flip side of “Don’t reinvent the wheel.” Neither repeating yourself nor reinventing the wheel is the right answer for programmers building long-lived mission-critical systems. The key is abstraction, modularity, and a good library system underlying the programming platform, so reusable components can be abstracted into components that can be called or instantiated multiple times, without falling back on copy-and-paste. CWE-compatible tools As evidenced by the above small sample of CWE entries, the CWE relates directly to the kinds of challenges faced daily during the development of software-intensive systems. With this common vocabulary, it is now possible for a software project to identify and evaluate tools based on whether they can detect, or even suggest corrections CWE-284: Improper Access Control Weakness ID: 284 Abstraction: Class, Structure: Simple Description: The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Extended Description: Access control involves the use of several protection mechanisms such as: • Authentication (proving the identity of an actor) • Authorization (ensuring that a given actor can access a resource), and • Accountability (tracking of activities that were performed) When any mechanism is not applied or otherwise fails, attackers can compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. There are two distinct behaviors that can introduce access control weaknesses: • S pecification: incorrect privileges, permissions, ownership, etc. are explicitly specified for either the user or the resource (for example, setting a password file to be world-writable, or giving administrator capabilities to a guest user). This action could be performed by the program or the administrator. • E nforcement: the mechanism contains errors that prevent it from properly enforcing the specified access control requirements (e.g., allowing the user to specify their own privileges, or allowing a syntactically-incorrect ACL to produce insecure settings). This problem occurs withinthe program itself, in that it does not actually enforce the intended security policy that the administrator specifies.

›

Table 2 | CWE-284. CWE-1041: Use of Redundant Code

Weakness ID: 1041 Abstraction: Base, Structure: Simple Description: The software has multiple functions, methods, procedures, macros, etc. that contain the same code. Extended Description: This issue makes it more difficult to maintain the software, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. For example, if there are two copies of the same code, the programmer might fix a weakness in one copy while forgetting to fix the same weakness in another copy.

›

Table 3 | CWE-1041.

24 March 2019

MILITARY EMBEDDED SYSTEMS

MILITARY AVIONICS UPGRADES

for, instances of such weaknesses in the source code of the systems being developed or deployed. In fact, MITRE has established a registry of tools that follow the CWE nomenclature, both in terms of controlling their operation, and in terms of the reports they generate. This list of tools is maintained as part of MITRE’s CWE Compatibility and Effectiveness Program, and may be found on the web at https://cwe.mitre.org/compatible/ compatible.html. Currently there are about 35 companies with more than 50 tools listed in the registry of CWE-compatible tools. To be listed in the registry, the tool must satisfy at least the first four of these six criteria: CWE-searchable using CWE identifiers; must include, or allow users to obtain, associated CWE identifiers; must accurately link to the appropriate CWE identifiers; must describe CWE, CWE compatibility, and CWE-related functionality; must explicitly list the CWE-IDs that the capability claims coverage and effectiveness against locating in software; and must show test results of assessing software for the CWEs on the website. As an example of how certain kinds of tools integrate CWE identifiers into their user interface, here is a screen shot from a static-analysis tool, demonstrating its ability to detect various CWE issues in a sample program [dining_philosophers.adb – based on the classic Dining Philosophers algorithm] (Figure 1.) As shown above, each message displayed includes the CWE identifier(s) associated with each identified problem (we are seeing both buffer overflows and numeric range overflows in this case). The graphical interface also enables the user to identify, by CWE identifier, the particular weaknesses that are of current interest, thereby filtering out messages that do not relate to these issues. Although not shown here, hovering over the CWE identifier displays the short description of the weakness, so the user need not try to memorize the meaning of each CWE Id. As another example, here is a screen shot from a tool that supports formal www.mil-embedded.com

›

Figure 1 | Screen shot demonstrating the tool’s ability to detect CWE issues in a sample program.

S. Tucker Taft is VP and director of language research at AdaCore and is senior advisor for AdaCore’s “QGen” ModelBased Development tool suite. Tucker led the Ada 9X language design team, culminating in the February 1995 approval of Ada 95 as the first ISO standardized object-oriented programming language. His specialties include programming language design, advanced static-analysis tools, formal methods, real-time systems, parallel programming, and model-based development. Tucker is a member of the ISO Rapporteur Group that developed Ada 2005 and Ada 2012. Tucker has also been designing and implementing a parallel programming language called “ParaSail,” and is working on defining parallel programming extensions for Ada as part of the forthcoming Ada 2020 standard. AdaCore www.adacore.com

AcroPacks ® = S W a P - C

›

Figure 2 | Screen shot shows the appropriate CWE identifier.

proof of program properties for programs written in the SPARK subset of Ada. (Figure 2.) Here again, we see that the messages indicating places where the tool was not able to fully automate the proof of the absence-of-run-time-error (AoRTE) property include the appropriate CWE identifier. Also shown above is a search capability that can filter out non-CWE messages (in this case, by writing “CWE” in the search box), or can identify messages that refer to a specific CWE Id. The definition of the Common Weakness Enumeration by MITRE has made an important contribution to the overall process of developing more secure and robust software-intensive systems. It provides a common vocabulary that helps internal communications within software development organizations, as well as allowing users to understand and compare the capabilities of tools designed for scanning and analyzing the source code for mission-critical software. Designers will find that including CWEcompatible features into static-analysis and formal method toolsets enables users to readily understand the kinds of security and robustness issues that can be eliminated. MES www.mil-embedded.com

Embedded I/O Solutions for the Next 25 Years

MIL/Rugged mPCIe-based I/O Modules The AcroPack product line updates our popular Industry Pack I/O modules by using the mPCIe interface format. We added 19mm and a 100-pin connector to provide up to 50 isolated rear I/O signals, giving you a tremendous amount of capability on an Extremely Small Footprint - Without Cabling! Key Features Include:

▪

A/D, D/A, digital I/O, FPGA, counter/timer and communication

▪

Low-power consumption

▪

Solid-state electronics

▪ ▪ ▪

AcroPack modules snap onto AcroPack PCIe, XMC & VPX carriers, eliminating ribbon cables.

NEW

-40 to 85°C standard operating temperature Conduction-cooled models available

These modules are just 70mm long.

Mix-and-match endless I/O combinations in a single slot by using our XMC, VPX or PCIe-based carriers

Visit Acromag.com/AcroPacks TO SEE WHAT’S NEW

Embedded I/O Solutions

Ethernet Remote I/O Modules www.acromag.com

FPGA Modules |

AcroPack® I/O Modules

solutions@acromag.com

SFF Embedded Computers

877-295-7088

MILITARY EMBEDDED SYSTEMS

March 2019 25

Mil Tech Trends AVIONICS SAFETY CERTIFICATION

Avionics safety certification for UASs must juggle security, multicore, mission challenges By Mariana Iriarte, Technology Editor Pictured aerial demonstrators (front to back, left to right): RQ-11A Raven, Evolution, Dragon Eye, NASA FLIC, Arcturus T-15, Skylark, Tern, RQ-2B Pioneer, and Neptune. U.S. Navy photo by Photographer’s Mate 2nd Class Daniel J. McLain.

Military and commercial aviation communities are pushing for stricter certifications of unmanned aerial systems (UAS), known colloquially as drones, as the national airspace (NAS) becomes more congested. A crowded NAS means increased danger of underdeveloped, undercertified unmanned systems flying alongside manned aircraft. Meanwhile, the use of multicore processors has risen for use in both manned and unmanned aircraft certification, but security concerns continue to pester the aviation community. The genie is out of the bottle when it comes to unmanned aircraft flying in the national airspace. Government regulation will forever be playing catch-up, but it is critical that the regulators and avionics designers stay ahead of the game when it comes to certifying the software and hardware on unmanned aircraft as they have done with manned platforms, especially in the area of certifying multicore technology. Industry officials are seeing a push toward ensuring that both manned and unmanned aircraft follow similar – if not

26 March 2019

the same – safety procedures. Unfortunately, unmanned system certification continues to lag even as more UAS take to the skies. To address the situation, the aviation community is increasingly looking at using DO-178/DO-254 certifications. “I’m old enough to remember the first personal computers and people’s reactions: ‘It’s cool but there’s no software and it won’t serve a practical purpose,’” says Vance Hilderman, chief technical officer, AFuzion Inc. (Los Angeles, California). “That view lasted a few years until a tipping point was reached and computer usage exploded. We’re now at that same tipping point with unmanned systems. The FAA [Federal Aviation Administration] and EASA [European Union Aviation Safety Agency] have made great strides recently coalescing on workable standards. Obviously, the new ADS-B mandates and applying ADS-B Out to more UAVs is helping also. And the larger unmanned producers are now finally applying similar safety/reliability standards as for smaller manned aircraft (e.g., Part 23, which covers performance-based safety standards), so that is greatly increasing both aircraft and operational reliability.”

MILITARY EMBEDDED SYSTEMS

www.mil-embedded.com

›

Figure 1 | A TrueCore commercial off-the-shelf (COTS) graphical processor software safety monitor library is designed to assist users to reach DAL A certification of graphics without the need for diverse GPU architectures. Photo courtesy of CoreAVI.

Of course, the challenge remains in “updating the safety assessment and certification process to support that level of safety without a man in the loop,” Graves adds. “To support the transformation to unmanned systems – doing what we can do today with the safety we have today – will take many more decades with the methods and the guidance that are in place. Therefore, an additional significant challenge we face is the acceleration of these processes while still allowing the use of the more complex technologies required to support autonomy.”

DO-254 certification is has become even more of a requirement. David Mead, president and CEO, Holt Integrated Circuits (Mission Viejo, California), says: “The military has become more interested in DO-254 certification in the last three to five years, primarily driven by the need to share commercial airspace and provide a design assurance level (DAL) similar to the commercial aircraft industry. All safety or mission-critical systems are typically certified to DAL A, the highest assurance level, where a failure condition would be catastrophic, preventing continued safe flight and landing.” Quite frankly, the challenges are significant: “DO-178 and DO-254 are guidelines for developing safe software and firmware in the scope of safe systems, says George Graves, is chief technologist, Mercury Mission Systems, a unit of Mercury Systems (Andover, Massachusetts). These documents have been built with industry and government collaboration over decades.” The safety-certification stats speak for themselves: “The current safety record is a testament to the amount of vision and effort that has gone into providing this guidance,” he continues. While the aviation community has decades of experience in flying, certifying, and keeping the skies safe, some view it a necessity to certify unmanned systems via DO-254/DO-178. In other words, unmanned systems need to quickly and efficiently play the catch-up game – all for the sake of safety. www.mil-embedded.com

Automation will help the process, but the problem persists that “unmanned systems now face the need to certify to DO-254 and DO-178 in a way not initially considered by UAS manufacturers,” says Dan Joncas, vice president of sales and marketing for CoreAVI (Tampa, Florida). “The wide variation in the size of UASs from large systems such as Global Hawk down to hand-launched platforms means that there is a huge variation in both the certification requirements and in the hardware available due to increased space, weight, and power constraints over those typically found in manned aircraft. This means, for instance, that typical hardware form factors used for manned aircraft may be impractical for smaller UASs, which may also place constraints on the software that can be supported.” (Figure 1.) Small drones are definitely a point of concern since the December 2018 incident at London’s Gatwick airport, in which a small drone stopped hundreds of flights at the airport. These types of events where “civil air traffic was disrupted for days at Gatwick airport – one of the largest in Europe – by a small UAS, appropriate certification and control of

MILITARY EMBEDDED SYSTEMS

March 2019 27

Mil Tech Trends

AVIONICS SAFETY CERTIFICATION

UAS use is only likely to become more important,” Joncas adds. “Similarly, the nascent air taxi market means that we are now looking at man-carrying UASs with no pilot control. Israel is pioneering this work for military programs.” Adding to the dilemma, a UAS must have certain built-in capabilities in order to operate safely, including the ability to avoid collisions. “Collision avoidance is still a major hurdle for UASs in commercial airspace without a line-of-sight pilot or no pilot at all; trusting non-line-of-sight flight is going to be required for commercial needs,” says Gary Gilliland, technical marketing manager for DDC-I Inc. (Phoenix, Arizona). “This capability will allow the commercial market to explode – not literally – inasmuch that there are a lot of moneymaking opportunities for UAS in the commercial market.” In addition to avoiding objects in the sky, drones need “to identify incoming aircraft and act accordingly. This is a pilot requirement that now has to be software-driven, which leads to new systems based on sense-and-avoid technologies,” Petty says.

systems is all that is running on the system,” Gilliland says. “This capability is typically referred to as secure boot and secure upgrade. There are many ways to do this, but we are seeing the hardware vendors are adding capabilities in the hardware to assist in this effort.” “Military customers typically have additional security requirements, such as antitamper and interaction with mission systems,” Petty adds. “These additional requirements can have an impact on the overall safety boundary and in some cases need to be included in the safety certification activities.”

Each of these capabilities has to be certified. “The actual process of following DO-254 and DO-178 remains the same,” Petty explains. “The difficulty now moves to a higher level as you flow down system requirements in order to type-certify unmanned aircraft. This in turn flows down hardware and software requirements to the subsystems. This flow down would identify the system requirements and safety levels for subsequent certification.”

Companies have started to add more capabilities to help counter malicious threats within mission systems; even further, AZFuzion offers training such as the DO-326A/ED202A security ecosystem.

Security headaches in military and commercial drones Security is also a major issue for the aviation community. Some concerns include, in particular, the idea “that the software you intend to be running on the avionics

“Aviation cybersecurity via the new DO-326A/ED-202A document set is exploding, with worldwide certification

AS 9100D / ISO 9001:2015 CERTIFIED

PHALANX II: THE ULTIMATE NAS

THE

Supports AES-256 and FIPS140-2 encryption

The McHale Report, by mil-embedded.com Editorial Director John McHale, covers technology and procurement trends in the defense electronics community.

Utilizing two removable SSDs, the Phalanx II is a rugged Small Form Factor (SSF) Network Attached Storage (NAS) file server designed for manned and unmanned airborne, undersea and ground mobile applications. w w w . p h e n x i n t . c o m

ARCHIVED McHALE REPORTS AVAILABLE AT: WWW.MIL-EMBEDDED.COM/MCHALE-REPORT

28 March 2019

MILITARY EMBEDDED SYSTEMS

PHX_OSP_3.375_4.875.indd 1

www.mil-embedded.com 1/22/18 11:36 AM

authorities insisting on compliance and the aircraft/avionics development and operational ecosystem quickly trying to cope with workable solutions,” Hilderman says. “Finally, Agile software development is being increasingly embraced as aviation suppliers try to cope with everfaster schedules and changing system requirements; we’re finally seeing acceptance of what I call ‘MA’ for ‘Mostly Agile’ development in our previously staid development frameworks.”

bringing benefits including consolidation of mixed-criticality systems onto a common hardware platform and minimized cost of change through standardized modules and separation through partitioning,” says Ray Petty, vice president, Aerospace & Defense, Wind River (Alameda, California). “This has many advantages over fixedfunctionality, single-application systems. Multicore adds more computing power to this architecture, potentially allowing even processor-intensive applications to run in a mixed-criticality system; however, this increases the burden of proof for safety for the platform provider and the application developer.” Certifying multicore processors has the potential to not only reduce the time to market, but also lower the cost associated with certifying aircraft. As multicore processors edge out their legacy counterparts, certifying unmanned systems continues to be a challenge. MES

Certifying multicore Just when you thought safety certification wasn’t complicated enough already along comes multicore technology. “The trends – or, really, recurring questions – that always arise within the broader aviation community are: ‘When will certification of multicore processors be routine?’ and ‘When will we have an approach to certify higher degrees of complexity such as autonomous or even intelligent systems?’” Mercury’s Graves says. “The industry has spent thousands of man-years to certify true multicore processors operating in multicore safetycritical modes.”

Proven COTS

Building Blocks

Hard work pays off, however, and users will see the effects of multicore processors in commercial aircraft by 2019 or 2020, Graves adds. “While this may be a trend as defined by a future direction, most computers produced today and for many years have been multicore.” Just by looking at the history, users can get a glimpse of how long it takes to produce aviation safety-critical systems. “In fact, it has been 18 years since IBM first introduced the POWER4 multicore processor,” Graves continues. “Since it has taken so long to certify the complexity of multicore processing, there has been a lot of working-group discussion to examine alternative means of certification, with the hope of accelerating and enhancing the certification process. This should reduce the time required to gain safety-critical certification for very complex systems [including for military use].” In addition, “Integrated modular avionics (IMA) continues to drive safety systems, www.mil-embedded.com

Elma’s small form factor line combines the latest CPUs with the application I/O you need. COTS building blocks enable reliable systems that perform in the toughest environments and offer high levels configurability.

With you at every stage! Elma Electronic Inc.

MILITARY EMBEDDED SYSTEMS

elma.com

March 2019 29

Mil Tech Trends

AVIONICS SAFETY CERTIFICATION

Military versus commercial requirements Military and commercial end users have similar requirements in terms of the certification process, even though the goal of each user is ultimately entirely different. For example, “military customers are looking for the same security that commercial vendors are, but they also want to be sure that the system remains secures and cannot be compromised even if lost,” says Gary Gilliland, technical marketing manager for DDC-I Inc. (Phoenix, Arizona). However, “military avionics customers have their own certification requirements and authorities,” he continues. “These requirements have not typically been as rigorous as DO-178C processes but are converging rapidly. Additionally, there is a strong push for reuse of software across military organizations utilizing the architectures such as defined by the FACE [Future Airborne Capability Environment] standard. Commercial customers are only concerned about reuse within their own organization.” Within the last five years, “military customers have only recently expressed an interest in DO-254 certification and therefore typically require more support from vendors than commercial customers who may already have been through the process,” says David Mead, president and CEO, Holt Integrated Circuits (Mission Viejo, California). “In the case of COTS [commercial off-the-shelf] hardware or IP cores, Holt provides all the necessary artifacts for final FAA product certification on both military and commercial products. For COTS hardware ICs or IP cores, the certification requirements are the same for both military and commercial customers but may differ at the system level.” (Sidebar Figure 1.)

›

Sidebar Figure | Holt’s DO-254-certifiable COTS hardware ICs and IP core enable integrated solutions for ARINC 429 and MIL-STD-1553 applications. Photo courtesy of Holt Integrated Circuit.

platforms – airborne (manned/unmanned), space, maritime or land-based, Joncas continues. “Sorting, processing, and utilizing this data requires data fusion and the ability to display complex information on a range of displays varying from helmet mounted systems to large area multipurpose high-resolution systems. Furthermore, this information can be of varying DAL levels, so the graphics systems must handle mixed DAL information with guaranteed availability, performance, and separation of DAL levels. Importantly, the computational power required by military avionics systems including DAL-certified systems has increased hugely and will continue to do so for years to come.”

Military avionics users have more stringent and complex requirements than their civil counterparts, explains Dan Joncas, vice president of sales and marketing for CoreAVI (Tampa, Florida). “This is driven by the integration of a larger range of sensor and other data than needed in civil systems and by the extensive use of unmanned systems.”

“Military avionics customers are adopting more commercial avionics than ever before. It follows that our military avionics customers are increasingly using commercial avionics requirements,” says George Graves, chief technologist, Mercury Mission Systems, a unit of Mercury Systems (Andover, Massachusetts). “The military increasingly prefers to maximize the value of certifying military airworthiness as commercial equivalent where possible for affordability. Both the MH-139 helicopter and the KC-46A tanker are examples of military avionics customers adding military-specific avionics functionality to commercial avionics equipped platforms. The KC-46A has both FAA-type certification and a military-airworthiness flight release. The continued drive for affordability across military and commercial aerospace is driving reuse across all types of avionics requirements for both military and commercial customers. We expect our military avionics customers to continue this approach of maximizing the value of common with commercial requirements.”

Additionally, the emergence of network-centric warfare means that military avionics have to deal with data streams from other

More importantly, the military market has been shifting towards requiring DO-254 hardware certification across the majority of

Ray Petty, vice president, Aerospace & Defense, Wind River (Alameda, California) agrees: “In the past, military customers did not have to comply completely with civil airspace requirements. With advances in civil airspace under NextGEN (U.S. – Next Next Generation Air Transportation System) and SESAR (Europe – Single European Sky ATM Research) along with the cost of litigation, there are real operational advantages to complying with and using civilian airspace, and so we see more military aircraft moving towards compliance with civilian standards.”

30 March 2019

MILITARY EMBEDDED SYSTEMS

www.mil-embedded.com

Military versus commercial requirements (continued) avionics systems, Joncas says. “In some sense this is the military catching up to the civil market; however, given the military’s computation requirements, their hardware needs are far more demanding. Both the military and civil markets have shown significant interest in utilizing graphics processing units (GPUs) to more efficiently execute application-specific compute functions that have previously been accomplished by having to use additional costly hardware, such as FPGAs, DSPs and CPUs, making already size-, weight-, and power-constrained spaces an even tighter fit. The desire for safety-critical GPU compute power is an obvious trend in both civil and military avionics markets to perform an array of functions for sensor interpretations and autonomous avionics systems.” The one common thread that persists in both arenas is safety. “Everyone wants safety, but the military must simultaneously provide optimal mission success in the face of potentially unsafe conditions,” says Vance Hilderman, chief technical officer, AFuzion Inc. (Los Angeles, California). “Military aviation must operate in less benign conditions with greater emphasis on security.

Innovation That’s Safe.

“But fighter and rotorcraft also have unique power, cooling, and physical-space restrictions not present with larger (“Part 25”) civil aircraft,” Hilderman continues. “The old approach was simply to apply wholly different standards to military versus civil avionics. However, suppliers want to sell to both military and civil customers while those military customers want the cost benefits associated with shared military/civil products. The end result is a continued military convergence upon accepting civil standards as replacements for the corresponding military standards. “We first saw that with software (DO-178C), then hardware (DO-254), then systems (ARP4754A), and now safety (ARP4761/A). Interestingly, since militaries typically don’t need civil certification authority oversight, militaries can be more flexible about certification standard interpretations and actually drive new technology adoption at a faster pace than civil. We saw that in UAVs, then integrated modular avionics, and now multicore processing. We’re seeing it also with AI [artificial intelligence] but we are not at liberty to discuss that latter topic.”

Mercury brings the highest level of flight safety assurance to critical defense and aerospace applications with BuiltSAFE™ technology.

BuiltSAFE

• Highest Design Assurance Level (DAL-A) for both DO-254 software and DO-178 hardware

Visit mrcy.com/safe to download our latest whitepapers and brochures

• 30+ years designing/manufacturing deterministic processing solutions for safety certification • EASA, FAA, JAA, and Transport Canada safety certification experience lowers program risk • Large portfolio of flight safety certifiable compute graphics & I/O building blocks for program velocity Copyright © 2019 Mercury Systems and BuiltSAFE are trademarks of Mercury Systems, Inc. - 3478

www.mil-embedded.com

MILITARY EMBEDDED SYSTEMS

March 2019 31

Mil Tech Trends AVIONICS SAFETY CERTIFICATION

Optimizing multicore architectures for safety-critical applications By Richard Jaenicke and Rick Hearn

While multicore processors offer designers of safety-critical avionics the significant benefits of smaller size, lower power, and increased performance, bringing those benefits to safety-critical systems has proved challenging. That’s due mainly to the complexity of validating and certifying multicore software and hardware architectures. Of principal concern is how an application running on one core can interfere with an application running on another core, negatively affecting determinism, quality of service, and – ultimately – safety. Efforts to ease the safety-critical implementation of multicore processors are underway. Several standards have been updated to address multicore issues.

authorities – has published a position paper with guidance for multicore systems called CAST-32A. Together, these documents provide the requirements for successfully using multicore solutions for applications certifiable up to DAL A, the highest RTCA/ DO-178C design assurance level for safety-critical software.

These include ARINC 653, which covers space and time partitioning of real-time operating systems (RTOSs) for safetycritical avionics applications. ARINC 653 was updated in 2015 (ARINC 653 Part 1 Supplement 4) to address multicore operation for individual applications, which it calls “partitions.” The Open Group’s Future Airborne Capability Environment (FACE) technical standard version 3.0 addresses multicore support by requiring compliance with Supplement 4. Additionally, the Certification Authority Software Team (CAST) – supported by the FAA, EASA, TCCA, and other aviation

Benefits of multicore The benefits of a multicore architecture are numerous and compelling:

32 March 2019

›› Higher throughput: Multithreaded applications running on multiple cores scale in throughput. Multiple single-threaded applications can run faster by each running in their own core concurrently. Optimal core utilization enables throughput to scale linearly with the number of cores. ›› Better SWaP [size, weight, and power]: Applications can run on separate cores in a single multicore processor instead of on separate single-core processors. For airborne systems, lower SWaP reduces costs and extends flight time. ›› Room for future growth: The higher performance of multicore processors supports future requirements and applications. ›› Longer supply availability: Most single-core chips are obsolete or close to obsolete. A multicore chip offers a processor at the start of its supply life.

MILITARY EMBEDDED SYSTEMS

www.mil-embedded.com

›

Figure 1 | Separate processor cores (gray) share many resources (blue) ranging from the interconnect to memory and I/O.

complicated challenges, the most difficult being interference between cores via the shared resources.

Challenges for multicore in safety-critical applications In a single-core processor, multiple safety-critical applications may execute on the same processor by robustly partitioning the memory space and processor time between the hosted applications. Memory-space partitioning dedicates a nonoverlapping portion of memory to each application running at a given time, enforced by the processor’s memory management unit (MMU). Time partitioning divides a fixed-time interval, called a major frame, into a sequence of fixed subintervals referred to as partition time windows. Each application is allocated one or more partition time windows, with the length and number of windows being factors of the application’s worst-case execution time (WCET) and required repetition rate. The operating system (OS) ensures that each application is provided access to the processor’s core during its allocated time. To apply these safety-critical techniques to multicore processors requires overcoming several www.mil-embedded.com

Interference between cores In a multicore environment, each processing core has limited dedicated resources. All multicore hardware architectures also include shared resources, such as memory controllers, DDR memory, I/O, cache, and the internal fabric that connects them (Figure 1). Contention results when multiple cores try to concurrently access the same resource. This situation means that a lower criticality application/partition could keep a higher criticality application/partition from performing its intended function. In a quad-core system, with cores only accessing DDR memory over the interconnect (i.e., no I/O access), multiple sources of interference from multiple cores have shown increases in WCET more than 12 times. Due to shared resource arbitration and scheduling algorithms in the DDR controller, fairness is not guaranteed and interference impacts are often nonlinear. In fact, tests show a single interfering core can increase WCET on another core by a factor of 8. CAST-32A provides certification guidance for addressing interference in multicore processors. One approach is to create a special use case based on testing and analysis of WCET for every application/partition and their worst-case utilization of shared resources. Special use case solutions, though, can lead to vendor lock and reverification of the entire system with the change of any one application/partition, making that approach a significant barrier to the implementation and sustainment of an integrated modular avionics (IMA) system. Without OS mechanisms and tools to support the mitigation of interference, sustainment costs and risk are very high. Changes to any one application will require complete WCET reverification activities for all integrated applications. The better approach is to have the OS effectively manage interference based on the availability of DAL A runtime mechanisms, libraries, and tools that address CAST-32A objectives. This provides the system integrator with an effective, flexible, and agile solution. It also simplifies the addition of new applications without major changes to the system architecture, reduces reverification activities, and helps eliminate OEM vendor lock. Porting single-core software designs to multicore While porting an existing safety system to a multicore platform provides more computing resources, the WCET of a given application can increase due to longer latency to

MILITARY EMBEDDED SYSTEMS

March 2019 33

Mil Tech Trends

AVIONICS SAFETY CERTIFICATION

access shared resources or interference from other cores. New analysis is needed to determine if other resources such as memory, memory controllers, and intercore communications can become a new bottleneck. While resources may run faster, changes in relative performance can cause an application to stop working or behave in a nondeterministic manner. Effective utilization of multicore resources To achieve the throughput and SWaP benefits of multicore solutions, the software architecture needs to support high utilization of the available processor cores. All multicore features must be supported, from enabling concurrent operation of cores (versus available cores being forced into an idle state or held in reset at startup) to providing a mechanism for deterministic load balancing. The more flexible the software multiprocessing architecture, the more tools the system architect has to achieve high utilization. [1] Software multiprocessing architectures Like multiprocessor systems, the software architecture on multicore processors can be classified by how memory from other processors or cores is accessed and whether each processor or core runs its own copy of the OS. The simplest software architecture for a multicore-based system is asymmetric multi-processing (AMP), where each core is run independently, each with its own OS or a guest OS on top of a hypervisor. Each core runs a different application with little or no meaningful coordination between the cores in terms of scheduling. This decoupling can result in underutilization due to lack of load balancing, difficulty mitigating shared resource contention, and the inability to perform coordinated activity across cores such as required for comprehensive built-in test. The modern alternative is symmetric multi-processing (SMP), where a single OS controls all the resources, including which application threads are run on which cores. This architecture is easy to

34 March 2019

›

Figure 2 | The time-variant capability of INTEGRITY-178 TuMP enables different binding of applications to cores in different partition time windows.

program because all cores access resources “symmetrically,” freeing the OS to assign any thread to any core. Not knowing which threads will be running on which cores is a major challenge and a risk for deterministic operation in critical systems. To address this issue, CAST-32A references the use of bound multi-processing (BMP). BMP is an enhanced and restricted form of SMP that statically binds an application’s tasks to specific cores, enabling the system architect to tightly control the concurrent operation of multiple cores. BMP directly follows the multicore requirement in ARINC 653 Supplement 4 section 2.2.1, which states: “Multiple processes within a partition scheduled to execute concurrently on different processor cores.” An example of a multicore RTOS for safety certification is the Green Hill’s INTEGRITY-178 tuMP, is a unified multicore RTOS that supports simultaneous combinations of AMP, SMP, and BMP. The RTOS’s time-variant unified multi-processing (tuMP) approach provides flexibility for porting, extending, and optimizing safetycritical and security-critical applications to a multicore architecture. It starts with a time-partitioned kernel running across all cores that allows any combination of AMP, SMP, and BMP applications to be bound to a core or groups of cores called affinity groups (Figure 2). It then adds time variance so that partition time windows do not need to be aligned across cores. INTEGRITY-178 tuMP also includes a bandwidth allocation and monitoring (BAM) capability, developed to DO-178C DAL A objectives. BAM is intended to enable system integrators to identify and mitigate interference on multicore-based systems, directly addressing the CAST-32A guidance and lowering integration and certification risk. The hardware perspective: DO-254 certifiable multicore hardware In addition to the DO-178 software, full safety certification of an aircraft also requires DO-254 certification for the hardware. Current and emerging aerospace requirements demand hardware processing capability that can support multiple functions and applications with mixed levels of safety criticality. These requirements, along with intense computational needs and architectures that include multicore processors, highlight a very clear and pressing need for RTOS technology capable of preventing performance degradation and shared resource contention. Hardware architectures that include multicore processing technology must be deliberately designed to set the number of active cores and the execution frequency,

MILITARY EMBEDDED SYSTEMS

www.mil-embedded.com

›

Figure 3 | The VPX3-152 SBC is designed to support safety-critical multicore applications. The quadcore T2080 processor meets the performance requirements of many DAL A applications while using relatively low levels of power.

to specify which MCP peripherals are activated, and to determine the hardware support for shared memory and cache. In safety-critical applications, a multicore processor must be carefully selected and its host board architected based on several key factors, including a processor’s service history, availability of manufacturing and quality data, I/O capabilities, performance levels, and power consumption.

Rich Jaenicke is director of marketing for Green Hills Software. Prior to Green Hills, he served as director of strategic marketing and alliances at Mercury Systems, and held marketing and technology positions at XCube, EMC, and AMD. Rich earned an MS in computer systems engineering from Rensselaer Polytechnic Institute and a BA in computer science from Dartmouth College. Rick Hearn is the product manager for safety-certifiable solutions for Curtiss-Wright Defense Solutions. Rick has over 25 years of experience in design and design management positions in the telecommunications and defense industries, including 11 years of experience in design management and program management at Curtiss-Wright Defense Solutions. Green Hills Software • www.ghs.com Curtiss-Wright Defense Solutions • www.curtisswrightds.com

An example of a single board computer (SBC) designed to support safety-critical multicore applications is Curtiss-Wright’s VPX3-152 based on the NXP QorIQ T2080 Power Architecture processor (Figure 3). The quad-core T2080 meets the performance requirements of many DAL A applications at a relatively low level of power consumption. The T2080’s 16 available SerDes lanes effectively double the number of functions that can be directly serviced from the processor, thereby simplifying the overall board design and certification effort. The full capability of these multicore processors is realized when complemented by an RTOS that enables system designers and integrators to utilize all available compute power from the processor’s cores in a high-assurance manner. Use of a safety-critical, multicore SBC and an RTOS that provides deterministic, user-defined core and scheduling assignments can ensure that the performance capabilities of multicore hardware are fully achieved. MES Notes [1] This topic is specifically discussed in ARINC 653 Part 1 Supplement 4 section 2.2.1 as multiple processes (i.e., threads) within a partition executing concurrently across multiple cores and as concurrent partition execution. www.mil-embedded.com

MILITARY EMBEDDED SYSTEMS

March 2019 35

Standards Update

Development of the nextgeneration OpenVPX-based embedded system standard – A tri-service convergence of approaches: Part 1 of 3 By Mike Hackert (NAVAIR), Ben Peddicord (CERDEC), and Dr. Ilya Lipkin (AFLCMC)

Something exciting is happening in the service representative community. Representatives from three different programs, one from each of the U.S. Department of Defense (DoD) services, have come together with a common objective to solve their respective acquisition problems with an agreed-upon, open architecture standard. Here is Part 1 of a 3-part article covering the SOSA [Sensor Open System Architecture] Consortium’s efforts. While standards are often driven by new technology trying to fulfill customer needs, this effort was driven by the acquisition community as it sought to reduce costs and development time by applying open-architecture principles in a practical and consensus-driven way. The goal of these efforts is to select the best-of-breed existing architectural frameworks and relevant standards, and to create something where a gap currently exists. Consequently, this tri-service convergence effort set itself up for success since it is driven by the end user in the acquisition community, tied to specific programs, as opposed to other efforts, which have started from the development or supplier community trying to fulfill a need without the direct “pull” from the customer. The Navy has developed a hardware standard, Hardware Open Systems Technologies (HOST), that focuses the VMEBus International Trade Association’s (VITA’s) standards to fulfill DoD and aviation-specific requirements; while the Army has applied the Vehicular Integration for C4ISR/EW Interoperability (VICTORY [1]) standard and extended it with additional requirements such as Modular Open Radio Frequency (RF) Architecture (MORA [2]) and Department of Defense (DoD) VITA OpenVPX [3] profiles needed for radio frequency (RF) applications under their C4ISR [command,

36 March 2019

MILITARY EMBEDDED SYSTEMS

control, communications, computers, intelligence, surveillance, and reconnaissance]/ EW [electronic warfare] Modular Open Suite of Standards (CMOSS) initiative. For its part, the Air Force is developing a standard for C4ISR systems under a consortium named Sensor Open System Architecture (SOSA), which is focusing on sensor- and processing-intensive systems, under which a number of applications can be standardized. The foci of development for each of these programs has become the SOSA Consortium which is maintained by The Open Group [4], a developer of industry standards formed in 1996 and noted for its origins standardizing the UNIX operating system www.mil-embedded.com

developed in the 1970s by AT&T and more recently the Future Airborne Computing Environment (FACE [5]) Standard. The end-user community can thus come together and agree upon requirements for their particular applications. The standard’s need statement The DoD realizes that it can no longer continue to do business the way it did in the past, with each platform effectively a stovepiped fiefdom where technology was developed to uniquely fulfill their requirements. This situation resulted in repeatedly paying to create the same capability (e.g., a radio) which, in the end, may not interoperate with anything outside the system because its interfaces were developed for a specific purpose and use. The real problem is that we need to develop new capabilities faster, more reliably, and with a long-term life cycle view, since our direct competitors will not wait. Additionally, the key problems of the rising development costs and the need to transition technology faster, coupled with shrinking budgets, requires the DoD to be more agile. From a DoD acquisition perspective, nimbly deploying a new capability cannot cost hundreds of millions of dollars – or more – when the new capability includes a new platform, when individuals can effectively mount an attack or defense against it by buying or mailordering cheap consumer electronics. (Or by analogy to Star Wars, the Death Star was defeated by rogue fighters using cheap, omnipresent R2 units, the rebellion’s smallest but highly functional unit of a modular architecture, which might be likened to a modern-day singleboard computer. [6]) Furthermore, the commercial industry has already shown how new capabilities can be developed at low costs and deployed by applying open architecture approaches that lend themselves to convenient upgrade (e.g., smartphone technology). The Air Force, Army, and Navy representatives, as well as a majority of the DoD, also understand that capability no longer needs to be or should be tied to expensive platforms. For example, the avionics suite on an airborne platform ought to be developed in a modularized www.mil-embedded.com

approach so that systems can be conveniently swapped out during system design and development. This approach is especially important to remain competitive against enemies that can outspend the U.S. Of course, the DoD needs to continue to invest in new platforms. While the service life of the DoD’s older platforms can be extended by application of modularity and open architecture principles to allow for effective capability upgrades, this cannot be done indefinitely. Currently, platform acquisition timelines are measured in tens of years for development before deployment, which does not lend itself to fast capability deployment. With today’s fast-paced technology development, a capability will become obsolete, with a new capability being required before the first platform is delivered by an acquisition program. Consequently, the architectural approach being developed under SOSA lends itself to provide a certain degree of “future-proofing” to a new platform to allow new capability to be added or obsolescence addressed even before it achieves initial capability.

STRONGER, FASTER, COOLER OPENVPX

Dual 191 CFM hot-swap fans

Ultra-rugged OpenVPX rails

Heat exchangers and internal design for optimized OpenVPX cooling

www.pixustechnologies.com

MILITARY EMBEDDED SYSTEMS

March 2019 37

Standards Update In order to keep up with the increasing pace of technology development, each service’s acquisition community is intimately involved in leading this effort. This cooperation will maximize the value and synergy from working together. For the Air Force, the Air Force Life Cycle Management Center (AFLCMC) at Wright-Patterson Air Force Base in Ohio represents a number of sensor programs, all wishing to develop modular capability maximizing the reuse and sharing of system building blocks across programs. For the Army, the U.S. Army’s Communications-Electronics Research, Development and Engineering Center (CERDEC – Aberdeen Proving Ground in Maryland), has developed its CMOSS suite of standards for C4ISR/EW and communications systems. While CMOSS started out as only a CERDEC product, the synergy with SOSA quickly became clear. For the Navy, NAVAIR (Patuxent River, Maryland) had begun development of the HOST standard for application on its next-generation mission computing platforms. While HOST added specificity to established, state-of-the-art industry standards, specifically VITA 65 – OpenVPX, it became apparent that the addition of HOST would do the same for the SOSA standard, while again broadening SOSA’s application space by focusing on pure processing systems like an airborne mission computer. While these independent efforts each started out focused on fulfilling the capability needs for each of their local service customers, the centers realized that by working together under SOSA, they could reduce costs for each other, which is most apparent for hardware (Figure 1). The value proposition from standardization of hardware interfaces is easy to understand: Standardization of hardware modularization creates an environment where plug-in modules can become commoditized so that hardware development costs can be shared across acquisition programs and services. Examples include power supplies, which generally are required by all systems; network switches, which are increasingly used by system designers to relay information within a given system or provide connectivity outside of a system; or

38 March 2019

›

Figure 1 | The Army, Air Force, and Navy realized that by working together under SOSA on standardization of hardware interfaces, they could reduce costs across the board.

single-board computers where integral processor technology becomes outdated and obsolete in a matter of a few years, which necessitates replacement due to obsolescence or updates to add additional capability. The value proposition from standardization of software is much more difficult to concretely quantify. Standardization of software modularization creates an environment where software (e.g., applications or “apps”) can be shared and reused. Adequate definition of the interfaces allows new apps to be more quickly added/deployed. Consequently, the vision for this standardization of an architectural framework as well as specific interface definition is to allow new capabilities to be deployed more rapidly at lower costs. The challenge these representatives face is to determine how to apply open architecture approaches and industry standards to best fulfill their common as well as specific embedded system needs. Thus, a true tri-service convergence is occurring in the SOSA Consortium to achieve this goal. MES References [1] Information on the VICTORY standard can be found at https://www.victory-standards.org/ [2] The MORA standard can also be found at the VICTORY website. [3] Available at https://portal.victory-standards.org/MORA [4] Available at http://www.opengroup.org/SOSA [5] http://www.opengroup.org/face [6] Lt. Col Dan Ward, USAF, “Don’t Come to the Dark Side: Acquisition Lessons from a Galaxy Far, Far Away,” Defense AT&L: Better Buying Power, Sept-Oct. 2011.

Mike Hackert is program sponsor at NAVAIR [Naval Air Systems Command], Ben Peddicord is chief of CERDEC [Combat Capabilities Development Command (CCDC) C5ISR Center/formally the Communications-Electronics RD&E Center] Intel Technology and Architecture Branch, and Dr. Ilya Lipkin is lead manager for SOSA at the AFLCMC [Air Force Life Cycle Management Center]. NAVAIR | www.navair.navy.mil • CERDEC | www.cerdec.army.mil AFLCMC | www.wpafb.af.mil/aflcmc

DON’T MISS PART 2 OF THIS 3-PART ARTICLE IN THE APRIL/MAY 2019 ISSUE OF MILITARY EMBEDDED SYSTEMS

MILITARY EMBEDDED SYSTEMS

www.mil-embedded.com

THE POWER OF UNMANNED

Tap into the power that 8,500 technologists, regulators and users of unmanned and autonomous technology bring to AUVSI XPONENTIAL 2019. Connect the dots, gain inspiration and gather game-changing information over four days of collaborative learning and collective progress with colleagues across industries. Discover the power of innovation at the largest showcase of unmanned technology in existence from 180+ exhibitors focused on defense/security. Uncover the power of knowledge with actionable insight and realworld solutions gleaned from 150+ educational sessions covering topics like defense ground robotics, acquisition innovation, UAS capability advancements, autonomy and swarming. Harness the power of connection as you network, share ideas and successes, and build new relationships with peers from 20+ vertical markets.

MCCORMICK PLACE | CHICAGO April 29 – May 2 | Educational Program April 30 – May 2 | Exhibits

UNL E A SH T HE P O W E R OF UNM A NNE D . REGISTER NOW AT XPONENTIAL.ORG

ADVERTORIAL

EXECUTIVE SPEAKOUT

The Military Digital Convergence Mega-trend By Ike Song, VP, GM Mercury Mission Systems Commercial digital convergence has combined media, information systems, smartphones and autonomous vehicles. Digital convergence now has a proven roadmap and is enabling new technology breakthroughs in processing domains everywhere. Military digital transformation enables platforms to shrink and become more capable and adaptable for mission autonomy. Leveraging the digital convergence architectures created by billions of investment dollars from the commercial sector and coinciding with other prevailing trends, this transformation makes the military digital convergence inevitable. On aerial platforms, the fundamental air speed, altitude, pitch/bank, direction and temperature instruments are increasingly being complemented with newer radar, electro-optical/infrared (EO/IR) and other electronically enabled sensors for environmental awareness, threat detection, intelligence, surveillance and reconnaissance (ISR). Although smarter, sensors are often developed as the response to a specific threat or technology opportunity and consequently become a standalone proposition. Sensor integration into existing platforms is a best-fit affair Without a holistic, scalable, and refreshable architecture and the ability to efficiently share common resources, these sensors need to rely upon their own proprietary processing chain, comprising of signal acquisition, digitization, processing, and exploitation and dissemination functions. Mission and flight computers help the pilot execute a host of critical functions from avionics, to countermeasures, and fire control. These effectors, like sensors, have evolved and been introduced over time for similar reasons. Both are integrated into platforms in a distributed, federated manner, which has become the de facto sensor and mission processing architecture for military platform processing. Meanwhile, commercial enterprises have defined platform processing architectures that are delivering driverless cars and other platforms that will ultimately dominate many aspects of the autonomous domain with their IP. And they are not using a federated approach to accomplish their missions. Unmanned vehicles developed for military applications opened the door to this commercial autonomy revolution. Disadvantaged by being first and having to react to a myriad of unforeseeable global threats, military leaders realize that the roadmap they started needs a major recalibration to remain vibrant and effective. Commercial enterprises are focusing their independent research and development (IRAD) to develop agile, adaptable and holistic platform processing architectures. Guided by the hindsight obtained from being second to the unmanned vehicle challenge, their platform autonomy solutions emphasize performance, size, weight & power (SWaP), affordability and upgradability, which they are achieving through digital convergence. For autonomous vehicles to deliver their promise of safe, efficient travel, it requires a convergence of extensive sensing, cognitive decision making and safe effector implementation. With big financial bets being placed by Google, Apple, Amazon, Uber, Tesla

and the automobile industry as a whole, the momentum of innovation has become unstoppable. As in other commercial processing domains, digital convergence will redefine the game as autonomous vehicles from many enterprises and other nations become increasing prevalent. If the same technology can be made ready for defense applications, then agile, adaptable, efficient platform processing will enable autonomous military vehicles to have all the capabilities the best commercial technology has to offer. With a proven technology roadmap and the availability of powerful processors and sensors, vehicle autonomy has passed its technological event horizon. Autonomous commercial vehicles are emerging and may soon be commonplace. The availability of this technology will necessitate a digital convergence in the military domain as well. Mercury Systems has been working on digital convergence for years. To learn more, take a look at our whitepaper, The Military Digital Convergence.

Mercury Systems www.mrcy.com

Whitepaper Link: https://info.mrcy.com/1805-MMS-WP-MilitaryDigitalConvergence_ShortformLP.html?ch=OSMblogFeb2019

Editor’s Choice Products

Next-generation circular interconnects for soldier-worn applications ITT Cannon’s Nemesis II CBA 20M+ is one of a group of miniature circular interconnects for soldier-worn applications. It is designed and tested for water submersion to 20-plus meters (65.6 feet). The small and lightweight interconnect part is intended to perform in extreme conditions and harsh environments, making it usable for battlefield communication devices and applications such as manpack and handheld radios, among others. The Nemesis II CBA 20M+ enables power, signal, and data in an integrated design package, enabling the warfighter to reduce physical load, maintain communication, and receive mission-critical information when they need it most. Key features include the company’s Cannon Breakaway functionality, which enables the user to quickly disconnect and reconnect if their cables and equipment become snagged. It also features a spring-loaded pogo contact that enables high mating cycles (quick connection/ disconnection) that leads to durable and reliable operation in the field. Additional features include a highly engineered blind mating design and possible termination to wire, PCB, and flex circuits. ITT Cannon | www.ittcannon.com

Dual mission-management unit for air, sea, land vehicles The RD3003 from RDDS Avionics LTD is an open architecture dual mission computer designed for special mission platforms for air, sea, or land vehicles. The system leverages the company’s experience with the MMU200 series to upgrade to the latest specification hardware. The RD3003 can host a variety of sensor inputs and sensor HMI operating software including surveillance radar, forward-looking infrared (FLIR), sonar, and electronic warfare. The RD3003’s open architecture, rugged form factor, and dual-processor redundancy is aimed at use in harsh battle environments, enabling the user to be confident in missioncritical environments. It features an Intel i7 (2.4Ghz) four-core processor, carries dual CPUs and PSUs, has 8 Gb RAM, comes with two 512Gb SSD storage, and is fully qualified to RTCA DO-160G. RDDS Avionics LTD | www.rdds.co.uk

The CloudberryMIL CRM-6200 Series for demanding SWaP designs OnTime Network’s Cloudberry CR-6200 Series is a commercial off-the-shelf (COTS), fully managed Layer 2/3 Ethernet switch with an embedded Cisco 5921 Embedded Services Router (ESR) IOS and network time server capability (IEEE 1588 PTP, NTP, IRIG, 1PPS), all cased in a rugged housing. The switch is intended for high-performance connectivity under demanding size, weight, and power (SWaP) constraints in harsh environments such as high altitude, extreme shock and vibration, extended temperatures, humidity, dust and water exposure, noisy EMI [electromagnetic interference], and dirty power. The CR-6200 delivers data, video, and voice services anywhere LAN/WAN connectivity may be required, including in mobile, airborne, ground, manned or unmanned vehicle, and sensor applications. The system has routing speeds of as fast as 200 mbps for the Cisco 5921 ESR package or full wire speeds when used with OnTime Networks’ own router package. The Cisco IOS router software and the Cisco-like CLI interface on the switch-management side minimize training requirements and support IPv4/IPv6 routing protocols, IP multicasting, radio aware routing (RAR), Dynamic Link Exchange Protocol (DLEP), remote VoIP, firewall/IPS/ IDS, mobile ad hoc networking (MANET) and mobile IP routing for connectivity in comms on the move (COTM) applications. OnTime Network | www.ontimenet.com

42 March 2019

MILITARY EMBEDDED SYSTEMS

www.mil-embedded.com

Editor’s Choice Products

Universal artillery calculator for land forces The universal artillery calculator UKART–2 from WP Group was developed to calculate firing solutions for any type of armament used by the rocket and artillery units of land forces. The key component of the UKART-2 system is specialized software that runs alongside the FCS TOPAZ system. The UKART-2’s main features include the preparation of shooting and fire control using the ammunition implemented with digital ballistic tables. It can coordinate with the combat artillery unit, weather data, and ammunition data that is provided by ballistic tables, as well as the data from the fire-power and fire-support coordination components. The system is also able to calculate the topography of the area: Users can adjust the settings and target range measurements for each cannon/mortar/launcher firing position and adjust the timer settings. It also uses different types of digital maps such as CADRG [compressed ARC digitized raster graphics], GeoTIFF, MrSID [multiresolution seamless image database], CIB, VPF/SHP, and DTED [digital terrain elevation data]. Visualizations for the user of the tactical situation are based on APP-6A standard symbols. WP Group | www.wbgroup.pl/en/

Test-and-measurement tool for smart weapons Marvin Test Solution’s MTS-3060 is an advanced flight line SmartCan tester that enables testing of suspension and alternate mission equipment (AME) including missiles, bombs, and rockets. With multiple measurement channels, dedicated and continuous squib circuit monitoring, multiple load channels, audio and video simulation, and MIL-STD-1760 systems, the MTS-3060 supports any platform and any legacy or future armament system. The MTS-3060 provides more than 30 measurement channels and the capability to simulate legacy and “smart” weapons. The multiple channels alleviate the requirement to use multiple testers when testing armament systems as is done today with legacy testers on F-16 and F-15. The simultaneous testing of multiple squib signals, combined with a cross-fire algorithm, provides a robust test process that is deeper than the single-channel or dual-channel methods offered by legacy “beercan” testers. The MTS-3060 can test additional weapons systems, including launchers, bomb racks, and other MIL-STD-1760 systems. The MTS-3060 is also compatible with the legacy SERD 75060 beercan tester and can interface with existing 75060 cables and adapters. Marvin Test Solutions | www.marvintest.com

Nano-RISE data-storage systems designed for airborne applications The Ampex nano-RISE family of data-storage systems are designed for rugged environments, including manned and unmanned vehicle applications. It is a modular solution that consists of three parts: The nano-R Intelligent Storage Elements (ISEs), the nano-R Deck, and the nano-R Controller. The nano-R ISEs are the core of the system; they insert into the nano-R deck and work in conjunction with other ISEs in the deck, with each ISE providing standalone or collaborative capabilities. Each ISE can include storage, a processor, and a video encoder or other specialty devices. Each ISE has intelligence to encode, format, store, stream, and share up to two channels of HD video while acting as a file server. The nano-R Deck is the hub for the nano-R ISE system, which contains the power supply, the USB-to-network interface and an embedded switch, the video-conversion logic, and slots for one or more nano-R ISE modules. Additionally, the nano-R controller is a detachable touch-screen handset that can run Windows 10 or Android. When running Windows, commodity software can be used with the system to view embedded KLV metadata within the video streams. The nano-R controller can be detached and used remotely through WiFi and an optional battery. Ampex | www.ampex.com www.mil-embedded.com

MILITARY EMBEDDED SYSTEMS

March 2019 43

Keep pace with a standardized development process By Nicholas Butler, National Instruments Standardization has been an aspirational objective in test organizations for decades. In 1961, D.B. Dobson and L.L. Wolff of Radio Corporation of America (RCA) published a paper, “Standardization of Electronic Test Equipment.” The paper presented the principles, criteria, and techniques used in the investigation and prototyping of multipurpose missile system test equipment. The goal of most early technology standardization efforts was to limit the variety of equipment used in test solutions across the organization. The key objective RCA achieved was the design and deployment of a modular hardware set. Modular hardware leads to higher equipment reuse, more integrated test solutions, fewer obsolete components, and an easier process for technology replacement. The RCA paper described the process of identifying shared inputs and outputs across multiple functional components and missile programs to define the requirements of its modular hardware system. It was this process of identifying and separating common elements that can be addressed together that became the basis of abstraction. Larger instrumentation standardization efforts and a move toward commercial off-theshelf technology have led to modular hardware standards like VXI, PXI, PXIe, and AXIe that are used in test organizations across many industries. Standard modular hardware platforms abstract redundant elements like power supplies, cooling, and user interfaces to single points within the system. Software as the backbone of standardization Security requirements and fast-paced changes are compelling modern test organizations to go far beyond just hardware standardization; they’re now also focusing on software layers and the practices used to develop them. Test engineering teams must begin the process of adopting and standardizing on

44 March 2019

iterative software development to keep pace with product development teams and maintain project schedules in an industry that is quickly modernizing. In the report Design and Acquisition of Software for Defense Systems, the Defense Science Board (DSB) states, “Many of the capabilities provided by our weapons systems are derived from the software of the system, not the hardware. This shift from hardware-enabled capabilities to software-enabled capabilities is increasing quickly.” The best test software engineering teams are building abstracted test software that delivers even more benefits than abstracted hardware provides. An abstracted software platform comprises layers that perform specific functions, which enables teams to repair and upgrade each module individually while isolating other layers by maintaining the same inputs and outputs. “With dozens of legacy business lines, software standardization has to address the history of each group,” said Mark Keith, chief engineer at Honeywell Aerospace. “The purpose [of abstraction] is to minimize or eliminate the need for software modifications when that obsolete hardware is replaced.” The test organization must also implement practices that drive faster and more flexible delivery. To deliver all the demanded features, software engineering teams are moving to continuous iterative software development practices like Agile. As stated in the DSB report, “The main benefit of iterative development is the ability to catch errors quickly and continuously, integrate new code with ease, and obtain user feedback throughout the development of the application.” Iterative software development is now an industry-standard practice, and the report says that it “will help the [Department of Defense (DoD)] to operate in today’s dynamic security environment, where

MILITARY EMBEDDED SYSTEMS

BLOG threats are changing faster than Waterfall development can handle.” Standardizing on iterative development Iterative software development requires a well-orchestrated team that works cooperatively and – much like the abstraction of hardware platforms and software architectures – includes shared and repeated concepts and tasks. Teams that collaborate on code bases must agree and standardize on tools for source code control, unit test frameworks, code analysis, work management, and deployment. A growing additional concern is cybersecurity. The DSB states: “Checking a software system’s code base daily keeps manageable the number of changes required to comply with a large base of cyber rules.” In the report Contracting Strategy for F-22 Modernization, the Inspector General of the DoD states, “According to a Program Office official, the DoD is at risk of losing its technological edge against U.S. adversaries and it needs to find innovative ways to bring capabilities to the warfighters faster.” Iterative development is a proven method for accelerating technology development across multiple industries, not only defense and aerospace. While test engineering teams have been focusing on hardware standardization and tiered software architectures, R&D organizations have moved toward iterative product development. All aspects of standardization are important and valuable to test organizations, but standardization must be refined to work with the engineering practices under development today. Test organizations that adopt Agile software development practices are poised to capitalize on this approaching opportunity. Nicholas Butler is head of Aerospace and Defense Marketing at National Instruments. www.mil-embedded.com

WHERE TECHNOLOGY EXPERTS GATHER

MARKET TRENDS, TECHNOLOGY UPDATES, INNOVATIVE PRODUCTS Military Embedded Systems focuses on embedded electronics â&#x20AC;&#x201C; hardware and software â&#x20AC;&#x201C; for military applications through technical coverage of all parts of the design process. The website, Resource Guide, e-mags, newsletters, and print editions provide insight on embedded tools and strategies such as software, hardware, systems, technology insertion, obsolescence management, and many other military-specific technical subjects. Coverage includes the latest innovative products, technology, and market trends driving military embedded applications such as radar, sonar, unmanned system payloads, artificial intelligence, electronic warfare, C4ISR, avionics, imaging, and more. Each issue provides readers with the information they need to stay connected to the pulse of embedded technology in the military and aerospace industries. mil-embedded.com

CONNECTING WITH MIL EMBEDDED By Mil-Embedded.com Editorial Staff

www.mil-embedded.com

Homes For Our Troops For the past five years, the editorial staff of Military Embedded Systems has highlighted in each issue a different charitable organization that benefits the military, veterans, and their families. We are honored to cover the technology that protects those who protect us every day. To back that up, our parent company â&#x20AC;&#x201C; OpenSystems Media â&#x20AC;&#x201C; makes a donation to every group we showcase on this page. This issue, we decided to revisit one of the first organizations we spotlighted (see Military Embedded Systems April/May 2014 issue), Homes For Our Troops, as it celebrates its 15th year of operation. Homes For Our Troops was started in 2004 by a Massachusetts general contractor who offered to build a battle-injured Massachusetts Army National Guard soldier a specially adapted custom home. The soldier agreed to have the contractor build the home on the condition that he do the same for other injured veterans. When we first reported on Homes for Our Troops in 2014, it had completed and donated 164 specially adapted custom homes for severely injured post-9/11 veterans nationwide. As of this update, the 501(c)(3) nonprofit organization has built 274 homes for injured post-9/11 veterans in 42 states, with another 79 projects underway. According to information from the organization, it continues a relationship with the veterans after delivering the home: Homes For Our Troops provides a pro bono financial planner for three years to assist in financial planning and household budgeting, in addition to homeownership education and warranty coverage to ensure that the veteran is set up for long-term success as a homeowner. It also maintains a network of nonprofits, corporations, and government entities to help recipients with employment, education, training, health, and other issues. For more information on Homes For Our Troops, please visit https://www.hfotusa.org/.

WEBCAST

WHITE PAPER

Powering Artificial Intelligence at the Edge with Embedded Processors By ADLINK and QuickLogic Artificial intelligence (AI) is set to transform embedded systems operating at the edge of operational networks thanks to a new breed of powerful, yet power-efficient, embedded processors. Digital security and surveillance (DSS) systems, computer vision, automotive safety, and industrial robotics are just a few of the applications that stand to benefit from this emerging technology. Participants in this webcast will learn about the latest generation of embedded processors and IP, as well as the performance tradeoffs between CPUs, GPUs, DSPs, FPGAs, and ASICs in intelligent system design. In addition to available silicon solutions, there will be discussion of supported machine learning software and frameworks that help accelerate AI development. View archived webcast: http://ecast.opensystemsmedia.com/834 View more webcasts: http://opensystemsmedia.com/events/e-cast/schedule

46 March 2019

MILITARY EMBEDDED SYSTEMS

Reducing Risk and Accelerating Time to Market With Turret Aiming and Stabilization By Andreas Schneider, Director, Curtiss-Wright Defense Solutions Designing a reliable and high-performance turret drive system for a combat tank or infantry fighting vehicle requires a precise understanding of the trade-offs that can be made to ensure the system meets the required performance metrics within SWaP-C [size, weight, power, and cost] limitations. In the white paper, learn how a prequalified and customized system that is based on proven modular components can reduce program risks and accelerate time to market. An integrated turret drive system that is tailored for program requirements minimizes customization tasks for tanks, infantry fighting vehicles, and remote weapons stations, while reducing program cost and risk. Read the white paper: https://bit.ly/2TUfwOG Read more white papers: http://mil-embedded.com/white-papers/

www.mil-embedded.com

May 6-8, 2019 Gaylord National Convention Center National Harbor, Md., United States www.SeaAirSpace.org

Sea-Air-Space is the premier maritime event in the United States. Make plans to join the Navy Leagueâ&#x20AC;&#x2122;s Sea-Air-Space 2019 show along with thousands of other senior leaders from the U.S. Navy, Coast Guard, Marines and Maritime Administration. With over 15,000 attendees, 327 exhibitors, 40 international delegations and 9 HON in attendance, Sea-Air-Space is your destination for doing business with the global naval and maritime community!

Want to become a Navy League member? Join online at www.NavyLeague.org

We didn’t break the mold.

We shattered it.

RFSoC

Unparalleled Performance

Unbelievably Fast Integration

The combination of Pentek’s new Quartz™ architecture, and the processing power packed into the new Zynq® UltraScale+™ RFSoC FPGA, smashes the boundaries of high-performance embedded computing. Pre-loaded with a host of IP modules, this OpenVPX board is ready for out-of-the-box integration into high-performance systems. Optical streaming interfaces, a unique modular design and the Navigator™ development platform means fast, high-speed deployment. • Powerful Zynq Ultrascale+ FPGA with built-in wideband A/Ds, D/As & ARM processors • Dual Optical 100 GigE interfaces for extreme system connectivity • Robust Factory-installed IP for waveform generation, real-time data acquisition and more

Eight-Channel A/D & D/A RFSoC in 3U VPX Conduction Cooled

• QuartzXM™ eXpress Module speeds migration to other form factors • Board Resources include PCIe Gen.3 x8 and 18 GB DDR4 SDRAM • Navigator Design Suite BSP and FPGA design kit for seamless integration with Xilinx Vivado®

Unleash the Power of the RFSoC. Download the FREE White Paper! https://www.pentek.com/go/mesrfsoc

All this plus FREE lifetime applications support! Pentek, Inc., One Park Way, Upper Saddle River, NJ 07458 Phone: 201-818-5900 • Fax: 201-818-5904 • email: info@pentek.com • www.pentek.com Worldwide Distribution & Support, Copyright © 2018 Pentek, Inc. Pentek, Quartz and Navigator are trademarks of Pentek, Inc. Other trademarks are properties of their respective owners.