Military Embedded Systems March 2021 by OpenSystems Media

@military_cots

John McHale

Mil Tech Trends

DO-178: Adapting to digital

Mil Tech Insider A MOSA milestone

Industry Spotlight FACE advances in airborne www.MilitaryEmbedded.com

Military avionics market steady

22 11 30

March 2021 | Volume 17 | Number 2

DIGITAL AVIONICS DISPLAYS FROM THE COCKPIT TO THE HELMET TO THE HOLOGRAPH P 14

P 40 Virtualization: A FACE lift for vehicle control By Will Keegan, Lynx Software Technologies

We Have You Covered from RF to Bits The industry’s most complete portfolio of ICs and modules. RF/µW Amplifiers/ TR Modules

Analog Beamforming

Frequency Conversion

Converters and Transceivers

ADC DAC

Power

Find your competitive advantage at analog.com/ADEF

The Only Full EcoSystem of 3U & 6U 100Gb Ethernet SOSA-Aligned Products TM

FPGA DIGITIZING & PROCESSING

6.4 Tb/s 100GbE SWITCHING

32 TB DEPTH & 5 GB/s RATE RECORDING CHASSIS, BACKPLANE & SECURE CHASSIS MANAGER

Annapolis

Micro Systems

We GUARANTEE Seamless 100GbE System Integration Because We Design and Manufacture Every Product

www.militaryembedded.com

TABLE OF CONTENTS 14

March 2021 Volume 17 | Number 2

COLUMNS Editor’s Perspective 8 Military avionics market flying steady By John McHale

University Update 10 Advances in technology attempt to enable safer battle conditions By Lisa Daigle

Mil Tech Insider 11 The OMFV next-generation combat vehicle: A MOSA milestone

FEATURES SPECIAL REPORT: Avionics upgrades 14 Digital avionics displays from the cockpit to the helmet to the holograph By Sally Cole, Senior Editor 18 COM-HPC for military: Opportunities and challenges By John Reis, Advantech

MIL TECH TRENDS: Certifying COTS hardware and software

By Mike Macpherson

THE LATEST

22 DO-178 continues to adapt to emerging digital technologies By Emma Helfrich, Technology Editor

Defense Tech Wire 12 By Emma Helfrich

26 Commercial Solutions for Classified (CSfC) – A primer By Jonathan Kline, Star Lab (a Wind River company)

Editor’s Choice Products 44 By Mil Embedded Staff

INDUSTRY SPOTLIGHT: Military avionics and the FACE technical standard

Connecting with Mil Embedded 46 By Mil Embedded Staff 10

30 FACE combats existential threats to advance global competitiveness in

airborne systems

By Chip Downing, Real-Time Innovations (RTI) 34 Making software FACE-conformant and fully portable:

Coding guidance for Ada

By Benjamin M. Brosgol, AdaCore 40 Virtualization: A FACE lift for vehicle control By Will Keegan, Lynx Software Technologies 30

WEB RESOURCES Subscribe to the magazine or E-letter Live industry news | Submit new products http://submit.opensystemsmedia.com WHITE PAPERS – Read: https://militaryembedded.com/whitepapers WHITE PAPERS – Submit: http://submit.opensystemsmedia.com All registered brands and trademarks within Military Embedded Systems magazine are the property of their respective owners. © 2021 OpenSystems Media © 2021 Military Embedded Systems ISSN: Print 1557-3222

To unsubscribe, email your name, address, and subscription number as it appears on the label to: subscriptions@opensysmedia.com Published by:

4 March 2021

ON THE COVER: The digital cockpits of military aircraft today have increased in complexity and capability by leveraging commercial processing, graphics, and navigation in open architecture designs bringing unprecedented awareness and advantages to military pilots. In photo: The side head-up display for AC-130J gunship cockpits was upgraded with the MAGIC1A high-performance embedded computing system from Abaco Systems. Photo by Airman Cameron Lewis. https://www.linkedin.com/groups/1864255/

MILITARY EMBEDDED SYSTEMS

@military_cots

www.militaryembedded.com

THE VPX POWER SUPPLY FAMILY

WITH THE HIGHEST IQ

INTRODUCING THE BREAKTHROUGH IQI INTERFACE VITA 46.11 TIER 2 COMPLIANT FIRMWARE THAT MONITORS AND REPORTS POWER SUPPLY STATUS IN REAL TIME Behlman introduces the VPXtra® IQI interface – a VITA 46.11, Tier 2 compatible Intelligent Platform Management Controller with the ability to monitor and report power supply status. Now users can easily obtain vital diagnostic information including the voltage and current of each output, input voltage and current, and internal temperature at three locations. Event Messages automatically notify users of the operating state as compared to programmed thresholds to provide complex diagnostic information. The IQI supports a dual IPMB for redundant communications and includes a diagnostic USB port.

The Power Solutions Provider

: 631-435-0410

: sales@behlman.com

: www.behlman.com

ADVERTISERS PAGE 20 2 47 3 5 38 21 7 9 23 48 28 43 32 17 33

ADVERTISER/AD TITLE AirBorn – Your D-shaped interconnect leader Analog Devices, Inc. – We have you covered from RF to bits Analog Devices, Inc. – Accelerating time from concept to product Annapolis Micro Systems – The only full ecosystems of 3U & 6U 100Gb Ethernet SOSA-aligned products Behlman Electronics, Inc. – The VPX power supply family with the highest IQ Dawn VME Products – Dawn single slot OpenVPX development backplanes Elma Electronic – VITA 48.4 Liquid flow-through cooling Extreme Engineering Solutions (X-ES) – A processor first, but with the programmability of an FPGA GMS – Rugged servers, engineered to serve. Harwin – High power AND reliability? Pentek – The big thing in RFSoC is here. (And it’s only 2.5 inches wide!) Phoenix International – Phalanx II: The ultimate NAS PICO Electronics Inc. – 18" ht. Size does matter! Pixus Technologies – Ultra-high speed & powerful cooling OpenVPX SeaLevel Systems, Inc. – Thrives in rugged environments. Lives to test limits. Vector Electronics – VME/VXS/cPCI chassis, backplanes & accessories

GROUP EDITORIAL DIRECTOR John McHale john.mchale@opensysmedia.com ASSISTANT MANAGING EDITOR Lisa Daigle lisa.daigle@opensysmedia.com SENIOR EDITOR Sally Cole sally.cole@opensysmedia.com TECHNOLOGY EDITOR Emma Helfrich emma.helfrich@opensysmedia.com ONLINE EVENTS MANAGER Josh Steiger josh.steiger@opensysmedia.com CREATIVE DIRECTOR Stephanie Sweet stephanie.sweet@opensysmedia.com SENIOR WEB DEVELOPER Aaron Ganschow aaron.ganschow@opensysmedia.com WEB DEVELOPER Paul Nelson paul.nelson@opensysmedia.com CONTRIBUTING DESIGNER Joann Toth joann.toth@opensysmedia.com EMAIL MARKETING SPECIALIST Drew Kaufman drew.kaufman@opensysmedia.com VITA EDITORIAL DIRECTOR Jerry Gipper jerry.gipper@opensysmedia.com

SALES/MARKETING DIRECTOR OF SALES AND MARKETING Tom Varcie tom.varcie@opensysmedia.com (734) 748-9660 MARKETING MANAGER Eric Henry eric.henry@opensysmedia.com (541) 760-5361 STRATEGIC ACCOUNT MANAGER Rebecca Barker rebecca.barker@opensysmedia.com (281) 724-8021 STRATEGIC ACCOUNT MANAGER Bill Barron bill.barron@opensysmedia.com (516) 376-9838 STRATEGIC ACCOUNT MANAGER Kathleen Wackowski kathleen.wackowski@opensysmedia.com (978) 888-7367 SOUTHERN CAL REGIONAL SALES MANAGER Len Pettek len.pettek@opensysmedia.com (805) 231-9582 ASSISTANT DIRECTOR OF PRODUCT MARKETING/SALES Barbara Quinlan barbara.quinlan@opensysmedia.com (480) 236-8818 STRATEGIC ACCOUNT MANAGER Glen Sundin glen.sundin@opensysmedia.com (973) 723-9672 INSIDE SALES Amy Russell amy.russell@opensysmedia.com TAIWAN SALES ACCOUNT MANAGER Patty Wu patty.wu@opensysmedia.com CHINA SALES ACCOUNT MANAGER Judy Wang judywang2000@vip.126.com EUROPEAN MARKETING SPECIALIST Steven Jameson steven.jameson@opensysmedia.com +44 (0)7708976338

WHITE PAPERS Increasing Density in Defense Electronic Systems By Omnetics Connector Corp. https://bit.ly/3e3WD98 How to Deploy AI Datacenters in Planes, Trains, Ships and Automobiles By One Stop Systems/John Cox, Pure B2B https://bit.ly/2OgbIt8 Get more white papers: https://militaryembedded.com/whitepapers

WEBCAST SOSA Conformance and What It Means To You Sponsored by Elma Electronic, Kontron, and Pentek https://bit.ly/2NYON5L

www.MilitaryEmbedded.com 6 March 2021

MILITARY EMBEDDED SYSTEMS

WWW.OPENSYSMEDIA.COM PRESIDENT Patrick Hopper patrick.hopper@opensysmedia.com EXECUTIVE VICE PRESIDENT John McHale john.mchale@opensysmedia.com EXECUTIVE VICE PRESIDENT Rich Nass rich.nass@opensysmedia.com EMBEDDED COMPUTING BRAND DIRECTOR Rich Nass rich.nass@opensysmedia.com ECD EDITOR-IN-CHIEF Brandon Lewis brandon.lewis@opensysmedia.com TECHNOLOGY EDITOR Curt Schwaderer curt.schwaderer@opensysmedia.com ASSOCIATE EDITOR Perry Cohen perry.cohen@opensysmedia.com ASSISTANT EDITOR Tiera Oliver tiera.oliver@opensysmedia.com CREATIVE PROJECTS Chris Rassiccia chris.rassiccia@opensysmedia.com PROJECT MANAGER Kristine Jennings kristine.jennings@opensysmedia.com MARKETING COORDINATOR Katelyn Albani katelyn.albani@opensysmedia.com FINANCIAL ASSISTANT Emily Verhoeks emily.verhoeks@opensysmedia.com FINANCE Rosemary Kristoff rosemary.kristoff@opensysmedia.com SUBSCRIPTION MANAGER subscriptions@opensysmedia.com CORPORATE OFFICE 1505 N. Hayden Rd. #105 • Scottsdale, AZ 85257 • Tel: (480) 967-5581 REPRINTS WRIGHT’S MEDIA REPRINT COORDINATOR Wyndell Hamilton whamilton@wrightsmedia.com (281) 419-5725

www.militaryembedded.com

EDITOR’S PERSPECTIVE

Military avionics market flying steady John.McHale@opensysmedia.com

The last 12 months have not been kind to commercial avionics suppliers, as the pandemic ended up grounding many flights and slowing aircraft purchases, consequently meaning fewer orders for avionics systems like displays and computers. Those commercial avionics suppliers – whether prime contractors or embedded computing suppliers – that are staying afloat are ones with a strong military business to offset the losses from the commercial market, as the military avionics market remains healthy. Military primes and integrators are benefiting not only by being an essential business but also from the increases in defense spending the last few years. Digital cockpit upgrades continue on pace: Large upgrade programs including the C-130 Avionics Modernization Program Increment 2, led by L3Harris, are going strong. In January 2021 the U.S. Air Force also awarded L3Harris with a $668 million IDIQ contract to help maintain its C-130 aircraft fleet readiness. On the embedded computing side Abaco Systems has seen multiple wins over the last few months, such as the upgrade to the AC130J gunship side head-up display, detailed in our Special Report on page 14. Upgrades such as these are also based on open architecture designs and initiatives such as the Future Airborne Capability Environment (FACE) Technical Standard, which enables not only faster development times but also reduced downtime and lower long-term life cycle costs. The FACE Technical Standard, now in version 3.0, is becoming a staple of military avionics requirements, with buy-in from all levels of the military aviation supply chain – services, prime contractors, and commercial off-the-shelf (COTS) suppliers. In this year’s Avionics Issue we dedicate our entire Industry Spotlight to FACE, with in-depth articles starting on page 30 from: Chip Downing of RTI: “FACE combats existential threats to advance global competitiveness in airborne systems” Will Keegan of Lynx Software Technologies: “Virtualization: A FACE lift for vehicle control” Benjamin J. Brosgol of AdaCore: “Making software FACEconformant and fully portable: Coding guidance for Ada” “Adopting MOSA [Modular Open Systems Approach] and deploying the FACE Technical Standard and business approach has proven to accelerate the inclusion of the latest airborne innovations,” Downing writes. “In addition, these moves are creating a parallel market for COTS certification evidence that

8 March 2021

MILITARY EMBEDDED SYSTEMS

By John McHale, Editorial Director removes program risk and accelerates time-to-airworthiness and deployment.” Certification, whether for safety or security, continues to be a must for military avionics suppliers and integrators to keep top of mind, even if the military is not required to comply with safety certification such as RTCA DO-178. “Militaries used to do really advanced testing called ‘black box’ when you can’t see inside,” says Vance Hilderman, chief technical officer at AFuzion in the Mil Tech Trends article titled “DO-178 continues to adapt to emerging digital technologies” on page 22. “Military avionics was really good at testing from the outside, but while important, civil aviation DO-178 provides more intrusive ‘light box’, so you look inside the software. So, older military systems were really well tested from the outside, but you didn’t really know what was inside. Now, militaries are using 178 as almost mandatory throughout the world.” Market health While military and commercial avionics applications have different requirements, different end users, and different market drivers, companies that play in both areas weather downturns in either market much better. In times of defense budget cuts and sequestration, many military avionics divisions took hits, but were propped up by their commercial aviation counterparts. Today, it’s the other way around, and may be for a few more years, say industry analysts at Deloitte. “Global aerospace and defense (A&D) industry revenue is expected to begin to recover in 2021 after a difficult year in 2020,” but uneven between defense and commercial markets, according to the Deloitte 2021 aerospace industry outlook (find it on www2.deloitte.com/us/en.html). “The commercial aerospace sector has been significantly affected by the COVID-19 pandemic, which has led to a dramatic reduction in passenger traffic, in turn affecting aircraft demand,” the Deloitte study says. “As a result, the commercial aerospace sector is expected to recover slowly, as travel demand is not expected to return to pre-COVID-19 levels before 2024. The defense sector is expected to remain stable in 2021, as most countries have not significantly reduced defense budgets and remain committed to sustaining their military capabilities. However, given the disruption in the complex global supply chain, some defense programs could face minor cost increases and schedule delays in 2021.” It’s getting to be a tricky balance. Military avionics suppliers I talk to, however, are cautiously optimistic that defense funding will continue to be robust even after the bills for all the pandemic stimulus packages come due. www.militaryembedded.com

UNIVERSITY UPDATE

Advances in technology attempt to enable safer battle conditions By Lisa Daigle, Assistant Managing Editor Several programs underway at Purdue University intend to develop state-ofthe-art technology that will train military leaders for modern warfare and make battlefield operations more secure. One team of Purdue innovators reports development of battlefield-simulation technology that they used to produce a virtual reality (VR) tour of the beaches that the Allied troops landed on during the D-Day operations in Normandy, France (watch the VR video from Purdue at https://www.youtube.com/watch?v=E qRTAGPz5WM&feature=youtu.be). “We apply what we know from the field of physics and treat the virtual soldiers almost like liquids that are interacting on the battlefield,” says Sorin Adam Matei, a professor of communication and associate dean in Purdue’s College of Liberal Arts. “Military educators can use this tool to teach future leaders lessons learned from historic battles in a visually exciting way that brings them to life for the students.” This particular team’s work – under the aegis of FORCES (4S) – Strategy, Security and Social Systems Initiative in Purdue’s College of Liberal Arts – “supports the use of social scientific research in strategy and security activities to shape long-range and global military, political and organizational decision-making for a just, stable and secure world.” Jonathan Poggie, a professor of engineering at Purdue, says of the project: “We’re exploring a new approach to group behavior that has the potential to significantly change wargaming and crisis management. I’m enthusiastic about bringing to bear some of the techniques we’ve developed in aerodynamics and high-performance computing on military decision-making.” Poggie, team member Robert Kirchubel, and research assistant Matthew Konkoly are also working on a battlefield simula-

10 March 2021

tion of the Civil War battle of Gettysburg; the trio has formed a startup company called FORCES Inc. to help commercialize the technology. Another team from Purdue is working on advances that will lead to more secure use of artificial intelligence (AI) in unmanned aerial systems (UASs) used on the battlefield. The Purdue team, together with colleagues from Princeton University, is leading research on ways to protect the software of UASs used on the battlefield by securing their machine learning (ML) algorithms, the data the machines rely on to operate semi-autonomously on the battlefield. (Figure 1.) The project, part of the Army Research Laboratory (ARL) Army Artificial Intelligence Institute (A2I2), is backed by up to $3.7 million for five years. The prototype system will be called SCRAMBLE, a somewhat-tortured acronym for “SeCure Real-time Decision-Making for the AutonoMous BattLefield.” “The implications for insecure operation of these machine learning algorithms are very dire,” says principal investigator Saurabh Bagchi, a Purdue professor of electrical and computer engineering who holds a courtesy appointment in computer science. “If your platoon mistakes an enemy platoon for an ally, for example, then bad things happen. If your drone misidentifies a projectile coming at your base, then again, bad things happen. So, you want these machine learning algorithms to be secure from the ground up.” SCRAMBLE is aimed at closing any hackable loopholes in three ways: First, by using what the team calls robust adversarial ML algorithms that operate with untested, partial, or manipulated data sources. Army researchers are reported to be evaluating SCRAMBLE at the ARL’s Computational and Information Sciences Directorate’s autonomous battlefield testbed.

MILITARY EMBEDDED SYSTEMS

Figure 1 | A soldier hand-launches a drone during operational testing at Fort Benning, Georgia. (U.S. Army Operational Test Command photo/Tad Browning)

Second, the prototype will include a set of interpretable ML algorithms aimed at increasing the warfighters’ trust of an autonomous machine while interacting with it. Prateek Mittal, an associate professor of electrical engineering and computer science at Princeton, will be leading a group focused on developing that capability. “The ability of machine learning to automatically learn from data serves as an enabler for autonomous systems, but also makes them vulnerable to adversaries in unexpected ways,” Mittal says. “For example, malicious agents can insert bogus or corrupted information into the stream of data that an artificial intelligence system is using to learn, thereby compromising security. Our goal is to design trustworthy machine learning systems that are resilient to such threats.” Bagchi and Mung Chiang, Purdue’s John A. Edwardson Dean of the College of Engineering and Roscoe H. George Distinguished Professor of Electrical and Computer Engineering, will lead work on the third strategy, that of the secure, distributed execution of the various ML algorithms on multiple platforms during autonomous operation. “This team is uniquely positioned to develop secure machine learning algorithms and test them on a large scale,” Bagchi says. “We are excited at the prospect of close cooperation with a large team of Army Research Laboratory collaborators as we bring our vision to reality.” www.militaryembedded.com

MIL TECH INSIDER

The OMFV next-generation combat vehicle: A MOSA milestone By Mike Macpherson An industry perspective from Curtiss-Wright Defense Solutions The U.S. Army’s recent request for proposal (RFP) from industry for its new Optionally Manned Fighting Vehicle (OMFV), the planned replacement for the venerable Bradley Infantry Fighting Vehicle, represents a true milestone for the commercial off-theshelf (COTS) industry. What makes this ground vehicle a real turning point is the extent to which its design will embrace open standards, as was made very clear during the virtual Industry Day event for OMFV organized by the Army last December. The Army is telling all suppliers that OMFV “requires a Modular Open Systems Approach (MOSA),” which it states is critical to the long-term success of the vehicle. The argument for implementing MOSA is to “ensure the program can avoid major redesigns or re-architecting” of the vehicle’s systems and subsystems. In addition to helping to evolve requirements and threats, system upgrades and technology insertions, the insistence on MOSA also calls out the need to address obsolescence and avoid vendor lock. This program is another sign of the extent to which the U.S. Department of Defense (DoD) now sees the open-architecture approach, long championed for years by the VME International Trade Association (VITA) and other standards organizations, maturing into a de facto requirement. The OMFV RFP further builds on the message delivered by the Tri-Services Memo of January 2019, “Modular Open Systems Approaches for our Weapon Systems is a Warfighting Imperative,” in which the secretaries of the Army, Air Force, and Navy all emphatically expressed that “MOSA supporting standards should be included in all requirements, programming and development activities for future weapon system modifications and new start development programs to the maximum extent possible.” What’s more, the mandate for MOSA has been codified into a United States law (Title 10 U.S.C. 2446a. (b), Sec 805) that states all major defense acquisition programs are to be designed and developed using a MOSA. For the community of COTS suppliers that has been at the forefront of delivering modular open systems to the defense and aerospace markets for almost three decades – ever since the introduction of the COTS Initiative introduced in 1994 by thenU.S. Secretary of Defense William Perry – this is all validating support for the vision that has driven us, the investments made, and the evangelistic communication about the benefits that open architectures deliver. These include, but are not limited to, cost reductions and the more rapid fielding of new capabilities to the warfighter. The Bradley tank is 40 years old. The currently fielded Paladin is based on the original M109 self-propelled howitzer introduced in the early 1960s, during the early part of the Vietnam war. The mandate for MOSA for OMFV recognizes that ground-vehicle platforms tend to have a very long life; consider the B-52 aircraft, www.militaryembedded.com

Figure 1 | The Optionally Manned Fighting Vehicle (OMFV) nextgeneration combat vehicle is the planned replacement for the venerable Bradley Infantry Fighting Vehicle, seen here during a 2019 training exercise at the National Training Center in Fort Irwin, California. (Photo by Cpl. Alisha Grezlik, U.S. Army 115th Mobile Public Affairs Detachment.)

flying since World War II with its original airframe, but which stays vital through updates to its avionics and payload systems. (See the Bradley tank, Figure 1.) MOSA will provide OMFV with the ability to modify computing and network resources, enabling it to keep up with technology, but more importantly letting it keep up with the threat. But the mandate for MOSA won’t just benefit OMFV: The same industry standard principles can benefit other ground vehicle platforms, such as the Armored Multi-Purpose Vehicle (AMPV), Mobile Protected Firepower (MPF), and even the venerable Paladin, because the open systems approach eliminates the need for a large NRE [non-recurring engineering] investment to update the platforms’ infrastructure in order to do a technology refresh. For COTS suppliers, OMFV – the first new platform to be designed around MOSA – provides the first real opportunity to prove the benefits of the open systems approach as an alternative to the ad hoc replacement of systems. COTS suppliers who have a broad range of MOSA cards and systems, plus a CMOSS-compliant portfolio, now are wellpositioned to support prime contractors and participate in programs like OMFV. We’ve seen the future and it favors COTS vendors who have already invested in a wide range of truly rugged MOSA-based cards that are able to address the various functionalities needed on these next-generation combat vehicles today. Mike Macpherson is the Vice President of Strategic Planning for Curtiss-Wright Defense Solutions. Curtiss-Wright Defense Solutions https://www.curtisswrightds.com/

MILITARY EMBEDDED SYSTEMS

March 2021

DEFENSE TECH WIRE NEWS | TRENDS | DOD SPENDS | CONTRACTS | TECHNOLOGY UPDATES

By Emma Helfrich, Technology Editor

Micro IFF transponder for drones receives DoD AIMS certification

Figure 1 | The Micro IFF transponder includes native antenna diversity for full visibility by space-based and ground-based Automatic Dependent Surveillance – Broadcast (ADS-B) systems. Sagetech Avionics image.

Sagetech Avionics, a company specializing in situational awareness solutions for unmanned aerial systems (UASs), announced that the U.S. Department of Defense AIMS Program Office issued the world’s first 17-1000 Mark XIIB certification to Sagetech for its MX12B micro-Mode 5 Identify Friend or Foe (IFF) transponder. According to the company, this transponder is designed to enable NATO and allied militaries to deploy Mode 5 IFF capability on small drones, intended to protect the warfighter against rapidly increasing unmanned threats from adversaries.

Sagetech performed live demonstrations of the MX12B interoperating with multiple crypto computers at the U.S. Navy IMPAX 2020 event, for the U.S Army, and for major OEM military UAS customers. The company also claims that the new MX12B is the world’s smallest certified Mode 5 IFF transponder, intended to deliver 100% of the Mode 5 functionality from a package that is 93% smaller than traditional certified transponders.

milCloud 2.0 uses machine learning and cyber sensing to speed innovation

General Dynamics Information Technology (GDIT) announced the availability of Amazon Web Services (AWS) through the milCloud 2.0 contract, giving U.S. Department of Defense (DoD) mission partners access to a portfolio of secure cloud services. This solution is designed to enable mission partners to take advantage of the latest technology and innovate more quickly with artificial intelligence, machine learning, cyber sensing, and other emerging capabilities. milCloud 2.0 aims to enable the DoD and the Defense Information Systems Agency (DISA) to accelerate cloud adoption, simplify acquisition, achieve cost savings, and improve mission effectiveness in projects through a single contract. Users across the DoD enterprise can leverage the milCloud 2.0 contract for migrations, application modernization, and new application development; as well as take advantage of cloud services from AWS in areas such as analytics, edge computing, end-user computing, and security.

Radioisotope power systems for deep-space missions ordered from Aerojet Rocketdyne

Aerojet Rocketdyne recently received a contract award to deliver up to two multi-mission radioisotope thermoelectric generators (MMRTG) – radioisotope power systems that have been used as reliable electrical power sources on multiple deep-space missions – to the U.S. Department of Energy (DOE) for use in future planetary science missions. According to a news release from Aerojet Rocketdyne about the award, the MMRTG produces dependable electrical power by converting the heat from Plutonium-238 radioactive decay into electricity. Company officials say that a single MMRTG unit can provide long-lasting electrical power to a spacecraft or planetary rover, enabling exploration of the deepest corners of the solar system, where the great distance from the sun dramatically reduces the effectiveness of solar arrays that might be used to harness power. The MMRTG has a proposed launch date of October 2025.

12 March 2021

MILITARY EMBEDDED SYSTEMS

Figure 2 | The Curiosity rover took this self-portrait on Mars that includes its MMRTG electrical power source (the white cylinder with radiator fins, at the rear of the rover). NASA/JPL-Caltech/MSSS photo.

www.militaryembedded.com

Leader radio program by Thales receives additional orders from U.S. Army

Thales has won its third delivery order from the U.S. Army to provide the AN/PRC-148D Improved Multiband Inter/Intra Team Radio (IMBITR). Under the Army Leader Radio program and in support of Capability Set fielding’s into the Integrated Tactical Network (ITN), this award brings total IMBITR radio orders to more than 6,000. Thales provided the IMBITR to multiple operationally deployed units to generate soldier feedback for testing and risk reduction prior to the U.S. Army’s formal Operational Test and Evaluation in January 2021.

Figure 3 | IMBITR is the first two-channel handheld radio designed to provide critical narrowband, tactical communications capabilities. Thales image.

Thales claims that the IMBITR offers an extended range of operational waveforms and features such as beyond-line-of-sight satellite communications (SATCOM), integrated waveform SATCOM, and enhanced frequency-hopping modes. The AN/PRC-148D integrates additional secret-and-below levels of security to the wideband side, Thales says, with the intention of providing commanders with increased flexibility to ensure a resilient tactical network.

Cybersecurity across Danish defense supply chain goal of Celerium, CenSec partnership

Counterfire radar system leverages RF processing board

The CMMC program was developed by the U.S. Department of Defense (DoD) in conjunction with Carnegie Mellon University in an effort to improve cybersecurity across the defense supply chain. According to officials, it is designed to provide scalable cybersecurity requirements based on five different levels of compliance. Accordingly, prime contractors and their subcontractors may be required to comply with CMMC in order to be eligible to be awarded DoD contracts – and companies within other industries and international countries may be impacted.

The conduction-cooled, rugged, RF processing board is built on a 3U VPX form factor. Mounting the RFSoC directly on a carrier card is intended to reduce space requirements and optimize thermal transfer while increasing the mean time between failure (MTBF). The VP430 is designed to reduce RF signal chain complexity and maximize input/output channel density.

Cyberdefense company Celerium announced a new partnership with CenSec, the prime Danish cluster organization for companies specializing in high-tech industries including defense, homeland security, space, aerospace, and cybersecurity. CenSec will be a member of Celerium’s Cybersecurity Maturity Model Certification (CMMC) Academy International Alliance program, fielded in an effort to bring CMMC awareness to the Danish defense industry.

Abaco Systems announced a multimillion-dollar design win for sixty units of the VP430 radio frequency systemon-chip RFSoC, a direct RF processing system which will be used on a counterfire target-acquisition radar upgrade. The counterfire sensor is intended, the company says, to increase the ability to respond to newly identified threats and changing missions to enable more efficient countermeasures.

DEFIANT X advanced assault helicopter in development for U.S. Army

Sikorsky (a Lockheed Martin company) and Boeing released details of its advanced helicopter for the U.S. Army’s Future Long-Range Assault Aircraft competition, known as FLRAA. The aircraft, named DEFIANT X, will aim to change the way the Army meets threats in 2035 and beyond. According to company officials, DEFIANT X is a complete weapon system that builds on the handling qualities and transformational capabilities proven by the team’s technology demonstrator, SB>1 DEFIANT. The companies say that the DEFIANT X platform – engineered to fly twice as far and fast as the Black Hawk helicopter it is designed to replace – is currently undergoing testing in a digital combat environment. DEFIANT X incorporates Sikorsky X2 technology to operate at high speeds while aiming to maintain lowspeed handling qualities. This capability is intended to provide increased maneuverability and survivability. www.militaryembedded.com

Figure 4 | Artist’s rendering of the DEFIANT X assault helicopter featuring enhancements to improve aerodynamics and reduce the thermal signature. Sikorsky/Boeing image.

MILITARY EMBEDDED SYSTEMS

March 2021

SPECIAL REPORT

Digital avionics displays from the cockpit to the helmet to the holograph By Sally Cole, Senior Editor

The digital cockpits of military aircraft today have increased in complexity and capability by leveraging commercial processing, graphics, and navigation in open architecture designs, bringing unprecedented awareness and advantages to military pilots.

When glass cockpits replaced the traditional dashboard of gauges and dials in older flight decks, pilots couldn’t stop gushing about the improved situational awareness the digitization of their instruments provided. Today’s advances, while more subtle, are delivering similar jumps

14 March 2021

Avionics upgrades

The side head-up display for AC-130J gunship cockpits was upgraded with the MAGIC1A high-performance embedded computing system from Abaco Systems. Photo by Airman Cameron Lewis.

in capability for flight and helmet displays via improved flight computer processing, high-resolution display graphics, and holographic near-eye displays. These solutions are also happening at a faster technology-insertion rate, thanks to open architecture designs and initiatives. Enhancing cockpit displays Cockpit displays – like many other defense electronics solutions and products – must meet reduced size, weight, power, and cost (SWaP-C) requirements in addition to providing improved capability, all while maintaining compatibility with legacy systems. “We receive varying customer requirements,” says Luis Esparza, product manager for Abaco Systems (Huntsville, Alabama). “In general, display computers and processors rely on ensuring large central processing unit (CPU) processing in conjunction with strong graphics processing unit (GPU) processing. [We] ensure the power and interoperability are available out of the box [with] multicore, multi-Gigaherz, multi-teraflops floating-point processing, and enough memory to make it all work.” There’s also an expected level of bus connectivity, “whether multi-Gig, Ethernet, or legacy, such as ARINC and Mil Standard 1553 avionics,” he adds.

MILITARY EMBEDDED SYSTEMS

www.militaryembedded.com

Some of these requirements also drove an upgrade to an existing side head-up display platform in AC-130J gunships. The biggest challenge involved was that the customer required pin compatibility with the legacy system, says Rob Cox, regional sales manager for Abaco Systems, which supplied its MAGIC1A high-performance embedded computing system for the upgrade, which aims to enable operational visibility of the battlespace for the platform. MAGIC1A provides features including increased storage space for mission and flight data, higher processing capacity, and cybersecurity capabilities. “MAGIC1A delivers the latest in graphics and computer processing to a SWaP-C improvement on a legacy design to ensure seamless integration,” Cox says. “It will allow the customer to reduce the technology footprint on the platform via a [serial digital interface] SDI I/O upgrade on the system.” Adding a removable 4 terabyte solid-state device (SSD) is “expected to enhance the operational security posture for tactical field operations,” Cox adds. Cybersecurity is enabled via Intel’s trusted platform monitor. Like cybersecurity, artificial intelligence (AI) capability is being enabled across multiple defense platforms and electronics solutions. For rugged display applications, Abaco leverages the NVIDIA Deep Learning SDK and Intel’s OpenVINO toolkit, which “enable our customers to easily create high-performance applications to leverage AI inference at the edge,” says Dave Tetley, principal software engineer for Abaco Systems. “AI-based sensor processing applications such as target recognition and tracking can be more effective than traditional techniques and are becoming widely adopted as more compute power is provided within a low size, weight, and power profile.” Technology refreshes that involve features like AI capabilities, processors, rugged displays, and cyberdefense are now faster and more efficient thanks to open architecture designs and initiatives like the Future Airborne Capability Environment (FACE). Open systems architecture (OSA) is enabled via the use of standard interfaces in hardware and common application programming interfaces (APIs) in software. [Note: The latter is how the FACE Technical Standard enables commonality and reuse in avionics software. For more, please see our Industry Spotlight articles starting on page 30.] “The idea of having reuse and being able to leverage a hardware abstraction layer is critical,” says Steve Motter, vice president of business development for IEE (Van Nuys, California). “We have been using the FACE Technical Standard as a design guide in our MFD implementation. “We support OSA in our avionics displays via a communication interface and video processing capabilities,” he continues. “This includes everything from traditional avionics buses, to ARINC 818, to Ethernet-based video distribution architectures such as ARINC 661.” An example is IEE’s 3.5-inch aircraft control display unit (CDU) designed for helicopter avionics. Applied beyond typical radio and communications applications, this CDU provides a central data entry and status display for the search-and-rescue rotorcraft platform’s Personal Locator System (PLS). Helmet-mounted digital night-vision display While modern digital flight displays have made pilots’ working days much easier, the technology in helmet-mounted displays enables pilots to see in all types of conditions. An enhanced visual acuity (EVA) system from Collins Aerospace (Charlotte, North Carolina) is helping the U.S. Navy and Marine Corps transition from analog to digital www.militaryembedded.com

Figure 1 | The EVA system from Collins Aerospace is a helmet-mounted digital night-vision display. Image courtesy of Collins Aerospace.

night-vision systems. This system will be used by rotary-wing and tilt-rotor aircrews to provide advanced digital nightvision and display technology to enhance situational awareness for warfighters. EVA integrates a helmet-mounted binocular display for wider, higher-resolution imagery and improved night-vision performance at very low light levels, which is when rotary-wing pilots need it most. (Figure 1.) “All of the digital night-vision processing for our EVA system is hosted on the helmet within the EVA electronics assembly, which makes use of the latest multiprocessor system-on-chip (MPSoC) technology to enable high-performance, low-power processing,” says Michael A. Ropers, principal systems engineer, Helmet Vision Systems, Avionics for Collins Aerospace. EVA represents the next technology leap in aviator night-vision systems, according to Collins Aerospace, taking that next step by providing “the visual acuity of analog night-vision goggles with a larger field of view and full color binocular heads-up display symbology,” Ropers explains. “And it replaces dated monochrome monocular displays on the NAVAIR rotary-wing HMDS [helmetmounted display system] with the latest binocular color displays.” The system uses the ISIE-19 night-vision sensor for low-light performance, combined with the displays. EVA is noticeably lightweight and has both high contrast

MILITARY EMBEDDED SYSTEMS

March 2021

SPECIAL REPORT

Avionics upgrades

and a large field of view. “It’s paired with a full-color high-brightness microdisplay, and also offers a substantial improvement in visual acuity, higher brightness, and lower life cycle costs over previous rotary-wing helmet display systems,” Ropers notes. One of the most surprising aspects of EVA is that, beyond its displays, “its lightweight, flexible night-vision solution is operational whether in-line-of-sight or stowed above the eye,” he continues. “A seamless transition from day to night operations for our pilots was key in the integrated design of the night-vision sensor and display, allowing for day/night operations without the need to install or remove components from the helmet. But the night-vision sensor assembly can be quickly removed with minimal effort if the pilot desires.” Work under a developmental contract with the U.S. Navy and Marine Corps is underway at Collins Aerospace facilities in Iowa, California, and Massachusetts, and with contract completion scheduled for March 2023. Holographic near-eye displays The next leap in military display technology may come from research in holographic near-eye displays via new software and hardware advances. A new technique to improve image quality and contrast for holographic displays was developed by researchers from NVIDIA (Santa Clara, California) and Stanford University; the technique may help improve near-eye displays for augmented- and virtual-reality applications. Augmented- and virtual-reality systems are poised to have a transformative impact on our society by providing a seamless interface between a user and a digital world, according to Jonghyum Kim, a researcher at NVIDIA and Stanford University. “Holographic displays could overcome some of the biggest remaining challenges for these systems by improving the user experience and enabling more compact devices,” Kim says. The new holographic display technology is called “Michelson holography,” which the researchers reported in Optica, an open-access journal from the Optical Society

M-CODE AND ALTERNATIVE NAVIGATION TECHNOLOGIES Honeywell Aerospace (Phoenix, Arizona) has flight-tested new technologies to enable alternative navigation offerings, including its embedded GPS inertial (EGI) navigation system. EGI supports M-code, the standard GPS signal used by militaries around the world. The flight tests demonstrated a milestone in providing continued navigation solutions within GPS-denied environments. It was also the first time an airborne M-code receiver was flown aboard an aircraft within an EGI, demonstrating M-code in a live environment. While GPS is used for navigation for military applications, a seamless connection to these signals isn’t guaranteed. Even modern systems can have problems within GPS-denied environments like dense urban areas near tall buildings. Jamming can also prevent signals from conveying critical information about positioning, navigation, and timing. Aircraft and vehicles should thus have alternatives such as celestial or vision navigation. “The issues of GPS-denied environments or GPS jamming are felt by every facet of the aerospace industry, but they’re particularly concerning for military operations,” says Matt Picchetti, vice president and general manager of Navigation & Sensors for Honeywell Aerospace. Honeywell is developing multiple alternative navigation technologies to add resilience to GPS and enable continuous, safer, and more reliable navigation if GPS signals are unavailable. It will provide its third-generation M-code EGI to various U.S. Department of Defense (DoD) and international customers in 2021.

16 March 2021

MILITARY EMBEDDED SYSTEMS

Figure 2 | Michelson holography shows significant improvements in image quality, contrast, and speckle reduction compared with all other conventional methods, such as naïve SGD [stochastic gradient descent]. Photo credit: Jonghyun Kim, NVIDIA, Stanford University.

of America. The technology combines an optical setup inspired by Michelson interferometry (used in spectroscopy and wave detection) with a recent software development to generate interface patterns to make digital holograms. (Figure 2.) “Although we’ve recently seen tremendous progress in machine-learning-driven computer-generated holography, these algorithms are fundamentally limited by the underlying hardware,” Kim says. “We codesigned a new hardware configuration and a new algorithm to overcome some of these limitations and demonstrate state-of-the-art results.” Holographic displays show potential for outperforming other 3D display technologies used for augmented and virtual reality by enabling more compact displays. It improves a user’s ability to focus their eyes at different distances and offers the ability for contact-lens wearers to make adjustments. But so far, the technology hasn’t achieved the image quality of more conventional technologies. Image quality of holographic displays is limited by an optical component called a phase-only spatial light modulator (SLM). Phase-only SLMs that tend to be used for holography have a low diffraction efficiency that degrades observed image quality, particularly image contrast. www.militaryembedded.com

It’s difficult to dramatically increase the diffraction efficiency of SLMs, so the researchers designed a completely new optical architecture to create holographic images. Michelson holography uses two phase-only SLMs rather than using a single phase-only SLM like other setups. “The core idea of Michelson holography is to destructively interfere with the diffracted light of one SLM using the undiffracted light of the other,” Kim says. “This allows the undiffracted light to contribute to forming the image rather than creating speckles and other artifacts.” The researchers combined this new hardware arrangement with a camera-in-theloop (CITL) optimization procedure modified for an optical setup, a computational approach to optimize a hologram directly or to train a computer model based on a neural network. CITL allowed the researchers to use a camera to capture a series of displayed

images. It also allowed for correction of small misalignments of the optical system without using any precise measuring devices. Once the computer model is trained, “it can be used to precisely figure out what a captured image would look like without physically capturing it,” Kim points out. “This means the entire optical setup can be simulated in the cloud to perform real-time interference of computationally heavy problems with parallel computing. This could be useful, for example, to calculate a computer-generated hologram for a complicated 3D scene.” The researchers put their new Michelson holography architecture to the test using a benchtop optical setup within their lab to display several 2D and 3D images, which were recorded via a conventional camera. This demonstration showed that the dualSML holographic display with CITL calibration provides significantly better image quality than existing computer-generated hologram approaches. To make their new system practical, the researchers say they need to first translate the benchtop setup into a system small enough to incorporate into a wearable augmented- or virtual-reality system. And they note that their approach of codesigning the software and hardware may be useful for improving other applications of computational displays and computational imaging in general. The researchers received funding from the Army Research Office, Okawa Foundation for Information and Telecommunications, Alfred P. Sloan Foundation, National Science Foundation, and Ford Foundation. [Link to article: https://www.osapublishing.org/optica/ fulltext.cfm?uri=optica-8-2-143&id=446984.] MES

Thrives in rugged environments. Lives to test limits. Yes, this is a tardigrade. And it’s also every product Sealevel designs and manufactures. Resilient Rugged • Up for the challenge • •

Like a tardigrade, but with heart.

Innovation

COTS & Full Custom

www.militaryembedded.com

Confidence

Quality

Hardware and software products for every major military contractor

Lifetime warranty on all I/O matched with long-term availability guaranteed

Fully-tested critical communications solutions delivered on time, every time |

Rugged Computing

Synchronous Serial

MIL- STD -1553

MILITARY EMBEDDED SYSTEMS

sealevel.com

March 2021

SPECIAL REPORT

COM-HPC for military: Opportunities and challenges By John Reis The U.S. military is constantly in search of technology that will lead to improving military capabilities while minimizing the risk to the warfighter. The COM-HPC standard promises to increase the functionality of edge computing and usher in new applications that will forever change the way military operations are conducted. There exist multiple opportunities as well as some challenges related to the adoption of COM-HPC for military use.

18 March 2021

Avionics upgrades

What is COM-HPC? COM-HPC is a new computing standard developed and approved by the PCI Industrial Computer Manufacturers Group (PICMG) that was just recently ratified in early 2021. The standard applies to high-performance computerson-module (COMs). COM-HPC is meant to address the need for high-speed performance in embedded computers and edge servers. High-performance computing (HPC) is the practice of aggregating computing power to provide higher performance than that which could be obtained from typical workstations. It makes use of technologies such as parallel computing to solve large and complex problems in real time that are beyond the capabilities of traditional computing systems. HPC systems are used in military command-and-control environments to facilitate communication between the tactical operations center and the warfighter. The COM-HPC standard builds on the current COM Express specification to address the need for more interfaces than the 440 pins COM Express defines; this specified size limits the scalability of powerful new edge servers and negatively impacts their ability to address the requirements of industrial and military applications. The connector defined in the COM Express standard also is reaching its maximum level of performance: It can handle the 8.0 GH clock speed and 8 Gbit/sec throughput required by PCIe Gen 3, but may not be able to adequately operate with new advances like PCIe Gen 4, 5, and 6.

MILITARY EMBEDDED SYSTEMS

www.militaryembedded.com

Military high-performance computing uses Many of the military applications of computing power need to collect and process data in real time. The military has been interested in HPC since 1992 when the High-Performance Computing Modernization Program (HPCMP) was initiated to fulfill congressional directives to modernize the U.S. Department of Defense (DoD). Its goal was to solve modern military and security problems through the use of high-performing computer hardware and software. The program consolidated supercomputing research being conducted in laboratories and test centers for individual branches of the military like the Army and Navy. A lot has changed in the world of computing since 1992; for one thing, “the cloud” and edge computing were nowhere to be found at that time. As the technological landscape evolved, the military began to take advantage of advancements such as cloud computing. One of the goals of the HPCMP is to develop systems capable of performing advanced simulations as a basis for predictive modeling. The introduction of the Space Force in 2018 spurred renewed interest in the HPCMP as it attempted to identify technology to assist with exploration, satellite communication, and eventually surveillance and intelligence from satellite and potential weapons systems in space. The military currently employs HPC solutions in a variety of ways as it finds that the sheer amount of data required for reliable decision-making is growing exponentially. Through the use of parallel computing and the advanced processing capabilities of GPUs [graphics processing units], HPC systems can perform calculations at greatly increased speeds to make the best use of data resources. Applications include: Enhanced image processing: Images captured by satellite or unmanned aerial vehicles (UAVs) need to be processed to enhance the quality of information they provide. HPC/GPU systems can process this data from 12 to www.militaryembedded.com

High-performance computing comes in different flavors, like GPU versus standard CPU processing. There is also a new PICMG specification that is being developed for small-form-factor HPC, which is based around the COM Express family. COM-HPC has the capability of five times the memory, four times the throughput, and twice as much expansion as the GPU. 40 times faster than a traditional CPU-based system. Processing at the edge is imperative for data to be more available, effective, and timely, with limited latency. The goal is to deploy these systems aloft or in the field to eliminate the need to transmit data to a remote data center for processing. Geospatial intelligence: With dedicated software and HPC hardware, systems can map large areas in seconds rather than days. Using satellite imagery and GPU-based systems, a 200-square-mile city can be mapped in detail in less than 20 seconds. This capability is essential for providing intelligence for military command and boots on the ground. The SWaP-C advantage: SwaP-C [size, weight, power, and cost] – all characteristics essential in systems designed for use in the field where equipment must be easily mobilized and power supplies may be limited. GPU technology enables smaller and lighter systems that consume substantially less power while providing advanced computing capabilities. Ruggedized HPC: Equipment used in the field needs to conform to military standards in its ability to withstand excessive vibration, shock, and temperature. The military also needs electronic packaging that protects these assets from the elements, such as sand and dust. The benefits of COM-HPC for military use Edge computing, where processing is done on location instead of at a centralized data center, is becoming more important throughout industry and the military. The ability of field personnel to perform calculations that aid in decision-making can be instrumental in the success or failure of a mission. Eliminating the need to transmit data to be processed saves time and removes a point of failure that could create a critical delay in action to address the mission. COM-HPC provides a set of technical specifications that address many of the problems that need to be resolved to bring the optimal computing solution to the military. Some of these include: Extended RAM capabilities: COM-HPC server-on-modules is designed to host as much as 1 terabyte of RAM in eight DIMM sockets. This configuration can provide increased I/O performance to as fast as 256 Gbytes/sec. More pins and interfaces: The number of pins in the COM-HPC standard has been increased from 440 to 800, almost doubling the number of connections that can be made with a single module. This boost will enable more features and benefits in a smaller form factor that will benefit the warfighter. Enhanced server-board management: Flexible configuration will be possible with a new server interface that enables use of thin slot cards to reduce the size of rack systems.

MILITARY EMBEDDED SYSTEMS

March 2021

SPECIAL REPORT

Avionics upgrades

CPU

• • • •

Low compute density Complex control logic Large caches (L1$/L2$, etc.) Optimized for serial operations • Fewer execution units (ALUs) • Higher clock speeds • Shallow pipelines (<30 stages) • Low Latency Tolerance • Newer CPUs have more parallelism

GPU

• High compute density • High Computations per Memory Access • Built for parallel operations • Many parallel execution units (ALUs) • Graphics is the best known case of parallelism • Deep pipelines (hundreds of stages) • High Throughput • High Latency Tolerance • Newer GPUs: • Better flow control logic (becoming more CPU-like) • Scatter/Gather Memory Access • Don’t have one-way pipelines anymore

Figure 1 | CPU compared with GPU.

These features taken together promise to deliver higher-performing systems that are compact, mobile, versatile, and reliable, leading to more successful outcomes. Military HPC system challenges Different challenges impact the widespread adoption of HPC for military applications. One is cybersecurity, a topic that affects all computing environments and presents

additional concerns for systems used by the military. HPC systems must ensure the secure transfer of data and eliminate the possibility for military applications to be compromised, putting the mission at risk. Another challenge is networking: Large networks with hundreds of thousands of endpoints and smart sensors are required to implement the viable edge computing required by the military. Verifying the connectivity and security of these endpoints and sensors is an essential component of implementing HPC systems for military applications. Another piece of the HPC puzzle: Identifying the right partners when developing HPC systems is of paramount importance to the military establishment. Preference will be given to companies that can show a track record of providing embedded system capabilities that are ruggedized to conform to the needs of military operations. Staying current with new trends and standards such as COM-HPC, the Sensor Open Systems

RocKet Macro D M Series Micro D

N Series Nano D

Your D-Shaped Interconnect Leader •

Macro D, Micro D, & Nano D — one is perfect for your application

•

Very high connector-to-connector density, whichever part family you choose

•

Ultralightweight (Nano D) & lightweight (Micro D & Macro D) perfect for applications like space launches where excess weight means more cost

•

High-temperature N & M Series models — ideal for harsh environments

a i r b o r n . c o m 20 March 2021

MILITARY EMBEDDED SYSTEMS

www.militaryembedded.com

Architecture (SOSA), Modular Open Systems Approach (MOSA), or Modular Open RF Architecture (MORA) are also characteristics of organizations that will be used to supply the computing needs of the military. High-performance computing comes in different flavors, like GPU versus standard CPU processing. There is also a new PICMG specification that is being developed for small-form-factor HPC, which is based around the COM Express family. COM-HPC has the capability of five times the memory, four times the throughput, and twice as much expansion as the GPU. (Figure 1.)

The ability to make the most effective use of computing technology may well be the determining factor in military disputes and activities as we advance through the 21st century. The DoD takes this situation as a serious challenge and is attempting to put the most robust and reliable infrastructure in place to keep the warfighter out of harm’s way. With high-performing computing systems that were unthinkable a generation ago, the future looks bright for developments that increase our security while limiting the exposure to the mission and the warfighter. MES John Reis is senior key account manager, Military Vertical, at Advantech USA; he has more than 30 years of experience in the embedded military computing market. Advantech https://www.advantech.com/

Traditional CPUs have low compute density and complex control logic built for serial operations, shallow pipelines, and low latency. On the other hand, GPU processing has high compute density; performs high computations per memory access; can perform parallel applications; and has deep pipelines, high throughput, and high latency tolerance. The use of GPUs and COM-HPC will benefit military applications tremendously. No latency here High-performance GPU processing can take large-scale feeds of data, in the petabyte range, and transmit video data from the battlefield in real time to users at speeds that can be 12 to 40 times faster than traditional processing. This huge increase enables the warfighter to make complex, real-time decisions on the battlefield, without the need of the data to be processed in the cloud, thus reducing latency. For example, real-time video data from an aerial surveillance mission can be seamlessly downloaded to a ground vehicle, enabling the warfighter to locate and effectively eliminate an adversary in an accelerated manner. COM-HPC will enable the data to be processed and saved at the edge cloud to retrieve and disseminate information to a team effectively in real time. Adapting COM-HPC servers will offer the warfighter the advantage of highperformance processing in a very effective small form factor, with reduced SWaP-C as a design goal. www.militaryembedded.com

VITA 48.4

Liquid FlowThrough Cooling

Power-hungry OpenVPX modules require a cooling solution that keeps the mission on course. From the experts in packaging for extreme environments comes the VITA 48.4 LFT Rugged ATR Platform, with 300W/slot cooling. • • • •

Six OpenVPX payload & switch slots Four slots with RF & optical connections 10Gbps backplane data rates Two VITA 62 power modules

With you at every stage! Elma Electronic Inc.

elma.com

MILITARY EMBEDDED SYSTEMS

March 2021

MIL TECH TRENDS

DO-178 continues to adapt to emerging digital technologies By Emma Helfrich, Technology Editor Guilty until proven innocent – that is how the U.S. Department of Defense (DoD) treats the safety-certification process for military avionics systems, and the software portion of these systems is no exception. Certifying DO-178 in avionics software is a detailed process by which the safety and security of the software is determined to be acceptable to fly. The certification process itself is still a work in progress: Having already undergone revisions since its conception in the late 1980s following the emergence of supplemental software in aviation, DO-178 and other safetycertification standards for military and commercial avionics are being challenged to keep pace with digital innovation.

22 March 2021

Certifying COTS hardware and software

High-performance aircraft like the F-22 leverage avionics safety-certification techniques to ensure not only the safety of the aircraft but that of the crew as well. In this photo, Maj. Josh Gunderson, F-22 Raptor Demonstration Team pilot, flies during the Lockheed Martin Space and Air Show in Sanford, Florida (November 2020). The F-22 possesses a sophisticated sensor suite that allows the pilot to track, identify, shoot, and kill air-to-air threats before being detected. U.S. Air Force photo by Staff Sgt. Sergio A. Gamboa.

In the past, companies specializing in both military and commercial aviation were given several years to run their products through the litany of tests and certifications required to then reach the market. Today, however, the cycle time to market is much faster and companies now face the added pressure of losing their competitive edge and spending excessive funds to certify their products. These complications are paired with what officials say is increased scrutiny by the Federal Aviation Administration (FAA) and the European Union Aviation Safety Agency (EASA), following recent incidents with commercial aircraft. An industrywide push for increasingly complex hardware is also making software reuse a priority to ensure both affordability and a more efficient safetycertification procedure. Trends in avionics safety certification all come down to industry innovation. As new and groundbreaking technologies emerge, standards must adapt to ensure that modernization efforts are maintained and supported, all while keeping certification documents timely and relevant. With the advent of artificial intelligence (AI), cyberwarfare, and unmanned technologies, manufacturers are pointing to a shift in avionics safety certification in hopes of finding the balance between rigor and flexibility. Overcoming challenges with DO-178 certification Software is still a relatively new aspect of the use of digital technology as a concept in aviation. Moreover, software evolves at what can seem like lightning

MILITARY EMBEDDED SYSTEMS

www.militaryembedded.com

Figure 1 | The Lynx MOSA.ic for Avionics combines the power of the separation kernel and hypervisor along with the LynxOS-178 partitioned RTOS to offer a DO-178C certifiable software product.

speeds. As soon as the FAA, EASA, and other regulatory bodies implemented the processes and standards to certify software safety, it seemed as though even more advanced and state-of-the-art programs were released immediately after. But the aviation industry, both commercial and defense, embraces innovation in an effort to remain current with updating safety-certification documents to keep pace with new technologies. One example is the addition of an extension to the DO-178 certification. “The DO-178C is a newer evolution to the DO-178B standard for certifying avionics software,” says Arun Subbarao, vice president of engineering at Lynx Software Technologies (San Jose, California). “The main intent was to remove some of the ambiguity that was present in the older standard, as well as to allow some newer techniques such as formal methods, object-oriented code, or model-based development into the process. It also provides allowances for new topics such as the Parameter Data Item (PDI) and extraneous code.” (Figure 1.)

High power AND reliability? You wanted more current per contact from our high-rel connectors. You wanted Harwin’s high quality standard.

We listened.

DO-178C is important because excessive amounts of software code are known to have a corresponding impact on the financial and laborious sides of certification. When efficiency is paramount, implementing restrictions at the standard level to keep the ball rolling can be hugely beneficial for customers. With such powerful software, however, hardware complexity is becoming a common obstacle in the safety certification bubble. “The biggest challenge for certification to DO-178C remains mitigating multicore interference on a multicore processor in order to achieve the determinism and isolation required for safety certification,” says Richard Jaenicke, director of marketing at Green Hills Software (Santa Barbara, California). “The root of the problem is the contention for shared resources when one processor core is temporarily blocked from accessing a shared resource, such as shared memory, because it is already in use by a different processor core. This is not a problem that you can test your way out of.” (Figure 2.) Tailoring certification to military and commercial customers The military is not required to adapt commercial aviation safety certification guidelines, but they do so because such guidelines enable a more robust and safe aircraft for the warfighter. “Commercial avionics customers are very strict in their adherence to DO-178C and obtaining FAA approval for airworthiness,” Subbarao says. “All of these systems have to get FAA approval to fly, so there is very little flexibility in this regard. However, military avionics customers have more flexibility in choosing to adhere to DO-178C processes or evolve other similar safety certification standards in certifying military systems that are airborne.” www.militaryembedded.com

■ ■

60A per contact Shock to 100G

Stainless steel mate-before-lock fixings ■

■

Operating temperature up to 150°C

harwin.com/kona

Connect with confidence

MILITARY EMBEDDED SYSTEMS 23 12:42 Harwin KONA Military Embedded SystemsMarch March 2021 21.indd 02/02/2021 1

MIL TECH TRENDS

Certifying COTS hardware and software

This is due in part to the fact that the military understands the complexity of their avionics systems. The Department of Defense (DoD) is playing the long game with its airborne platforms and fully intends to ensure that they last decades by continually evolving. “Historically, the military had its own version of ‘certifying’ a platform for flight,” says Mike Pyne, director strategic accounts & solutions architect at CoreAvi. “Unlike commercial platforms, the military had to deal with a variety of subsystems and components, so getting a product with a TSO certification [the FAA’s civilian certification] was rare. European Ministries of Defense have required commercial certification levels for decades, but the U.S. Department of Defense has always resisted this due to cost concerns – but this is beginning to change.” Militaries are typically allowed more flexibility and don’t often come under the same FAA or EASA scrutiny as commercial aviation companies, mostly because defense aircraft usually aren’t flying over civilian-populated cities but are instead flying in-theater or over safe airspaces. Consequently, DO-178 can be tailored to maximize the return on investment and potentially lessen the rigor in certain areas. “Militaries used to do really advanced testing called ‘black box’ when you can’t see inside,” says Vance Hilderman, chief technical officer at AFuzion. “Military avionics was really good at testing from the outside, but while important, civil aviation DO-178 provides more intrusive ‘light box’, so you look inside the software. So, older military systems were really well tested from the outside, but you didn’t really know what was inside. Now, militaries are using 178 as almost mandatory throughout the world.”

Figure 2 | The Green Hills INTEGRITY-178 tuMP RTOS has been part of airframes certified to DO-178C certifications, including the F-22 Raptor seen in this image. U.S. Air Force photo by Senior Airman Tiffany A. Emery.

DO-326A AND RESISTING CYBERATTACKS The relationship between software and hardware in an airborne platform is symbiotic despite the complications in certifying the respective technologies, but even the most complex and difficult-to-certify avionics systems have a common enemy: Cyberattacks. It is now mandatory that manufacturers take DO-326A into account and engineer avionics that are resilient to cyberattacks. This step in the safety-certification process is still novel enough to present nuances for aviation companies to navigate. “We have these new mandates because of hacking,” says Vance Hilderman, chief technical officer at AFuzion. “And the increased access points on an aircraft are no longer all closed and buttoned up. You have to be able to load it and access things, so that means hackers can get in. So we have new rules for cybersecurity called DO-326A, a whole new set of rules that we have to follow, mandatory this year. Starting this summer, we will have new documents coming out at the system aircraft-safety level. So, there’s even more work to do to hopefully make aircraft even safer and able to manage this complexity.”

24 March 2021

MILITARY EMBEDDED SYSTEMS

Figure 3 | An excerpt from a snapshot of AFuzion’s new DO-178C plans, standards, and templates package for 2021.

A special case regarding DO-178 certification in both commercial and military avionics has been unmanned platforms. Unmanned aerial systems (UASs) are even newer to the industry than the emergence of software, and while they present numerous benefits to warfighting and commerce, certifying UASs for safety is dependent on several factors. Unmanned platforms present unique certification challenges “In the past, because we needed these UASs – the Predators, the Global Hawks – we needed them really quick in Iraq and Afghanistan,” Hilderman says. “So, we were a little less formal about DO-178C, but today we know that they are a mainstay. We know that they need to be compliant to 178, but we also export those, and other countries don’t have these huge testing ranges that we do, they’re flying their UASs over civilian airspaces. So, they want to see 178, but we also have a standard called DO-278, and that applies to the portion of the UAS that is on the ground, because the pilot is on the ground. But UASs are also smaller and don’t have as much spare room.” Large airborne platforms allow space for redundancy, namely in commercial aviation. This is so that if an aspect of the system fails, there’s a backup. This is harder to achieve on UASs because the vehicle is lacking significantly in payload capacity. “Applying DO-178C to unmanned platforms is relatively new, and currently we see most UASs finding a way around DO-178C certification,” Jaenicke says. “Because there is no pilot to provide a backup safety layer, an additional layer of safety often is needed in the system. www.militaryembedded.com

and establishing an acceptable range of behaviors is a cardinal aspect of AI certification that has yet to be achieved.

Figure 4 | CoreAvi’s VkCore SC Vulkan-based safety-critical graphics and compute driver is a Khronos-sponsored ecosystem of open standards designed to bring graphics and compute functions into a layer that allows applications access to low-level silicon functions while preserving portability and a hardware-agnostic approach to platform integration.

That could be in the form of redundancy, which can be costly in terms not only of money but also size, weight, and power.” The nature of a UAS on the battlefield is to protect the warfighter, to take the place of a human in a potentially life-threatening situation. In civilian airspaces, the concept isn’t all that different. Instead of waging battle, however, the UASs are delivering packages. But that doesn’t mean the human is removed from the loop entirely, and the correspondence between the machine and the human still needs to be certifiably safe. “The architectural elements in platform software are different,” Subbarao says. “For instance, the communication between the ground station and the unmanned vehicle is directly in the safety-critical path since a failure of communication may lead to a catastrophic failure. FAA regulations on unmanned vehicles are also still evolving, so more regulations are to be expected in this area.” It’s true that the military is heavily invested in autonomous vehicles, as is consumer technology and commercial aviation, which means that transport of materials from troops and cargo to vaccines and pizza are all in the pipeline for UASs. With that reality on the horizon, additional interest in and certification with DO-178C isn’t far behind. (Figure 3.) Speaking of autonomy, AI has the potential to be an unrivaled and reliable copilot. At the same time AI – being the hot-button topic that it is in nearly every realm of commercial and defense electronics – also presents a new set of hurdles when it comes to not only keeping aircraft safe but also cementing its position in avionics as a whole. Establishing AI’s place in avionics safety certification “AI is an often-misunderstood term,” Hilderman says. “When we have a programmable coffee pot or the internet feeds you a new ad based on what you looked at before, that is not AI. That is just smart programming to simulate very basic human responses. True AI is via what’s called a deep neural network, and it results in a different answer given the same inputs. Real AI is when the software – the machine – is learning. [Safety-certification companies] are concerned because AI can learn in ways that are unsafe or produce an untested result. Aviation is about everything that could happen in the air has been specified and there’s a corresponding test for it.” The potential for AI in the sky is endless. Machine learning systems have already seen success in ground-based operations, but such self-teaching algorithms are not yet certifiable and allowed in deployed cockpits. This situation exists because defining how AI learns www.militaryembedded.com

“We don’t see machine learning or deep learning playing any role in DO-178C safety certification any time soon because the process needs to be deterministic and verifiable,” Jaenicke says. “Take code coverage, for example, which often has a machine learning component in nonsafety certifications. For DO-178C, each line of code must trace back to a specific requirement, and that is much more stringent than just making sure it gets executed properly. More traditional artificial intelligence, such as expert systems, could potentially play a role, but we haven’t seen much of that yet.” Officials are hopeful that a more deterministic AI could one day help assess complex systems. While the AI wouldn’t be flying on its own, it could serve to understand and model safe responses in complex systems and then learn from this to predict ways they could improve or might fail. While no rules exist yet, quantifying safe AI in aviation is in the works. “The machine learning process is by its nature very un-deterministic – it has to be, at least at the learning phase,” Pyne says. “However, in the deployment phase, the inference engines that run the convolutional neural networks and use that ‘learned information’ can be configured to satisfy the concerns of certification authorities. Not everyone realizes or is dealing with this, but at some point, inference engine determinism must be addressed by every system that wants to achieve high levels of safety criticality.” (Figure 4.) What could help companies reach that goal would be taking inspiration from the commercial aviation industry. In general, commercial technology has been quicker to adopt AI in fields like aviation just as well as transportation and automotive. There is the same need for commercial companies to meet specific safety requirements for civilian platforms as there is for defense, and commercial aircraft often has to meet both. MES

MILITARY EMBEDDED SYSTEMS

March 2021

MIL TECH TRENDS

Certifying COTS hardware and software

caption

Title By John McHale, Editorial Director abstract

Commercial Solutions for Classified (CSfC) – A primer By Jonathan Kline

The National Security Agency’s (NSA’s) Commercial Solutions for Classified (CSfC) The program enables integrators to leverage two distinct CSfC-approved commercial off-the-shelf (COTS) components to protect classified data at rest or in transit. Prior to the introduction of CSfC, programs with classified data requirements had to either develop or use an existing Type-1 solution.

26 March 2021

Type-1 solutions for meeting requirements for classified data introduce various controlled cryptographic item requirements (for example, force-specific handling, tracking, reporting, and protection requirements); they also require classified facilities/employees for implementation and integration. Type-1 also has its own its own certification process, which adds to schedule and cost pressures and is definitely a large hurdle to overcome if you’ve never completed it before. While traditional Type-1 solutions may be the only viable approach in many cases, in some instances the Commercial Solutions for Classified (CSfC) program provides an alternative, enabling integrators to take advantage of commercial cost, performance, and other benefits. Most of the approved components on the CSfC products list are focused on protecting data in transit. These components are usually focused on using multiple VPNs [virtual private networks] nested within each other. It’s implied through threat enumerations, but not required, that both components be provided by separate vendors. However, there is established precedent for both components being provided by a single vendor, generally with separate development/integration teams and cryptographic components. Fewer components are found for use in protecting data at rest, and most of the registered components are application- or platform-specific. They are generally not intended to be used as general-purpose solutions.

MILITARY EMBEDDED SYSTEMS

www.militaryembedded.com

Generally, [CSfC] certification requires compliance with one or more National Information Assurance Partnership (NIAP) protection profiles, compliance with the NSA CSfC capability package (CP), and registering the component with the NSA. requires compliance with one or more National Information Assurance Partnership (NIAP) protection profiles, compliance with the NSA CSfC capability package (CP), and registering the component with the NSA (Figure 1). Achieving compliance with the protection profiles requires the use of an accredited lab to perform the NIAP/ Common Criteria testing. The choice of lab will, in part, dictate how long the certification and accreditation process will take. Additionally, the NSA CSfC CP is used to restrict and/or reinforce protection profile requirements (generally these are related to specific requirements for algorithm selection mostly aligned with NSA Suite B and NIST guidelines). For example, the NSA CSfC CP specifies minimums for key sizes and specific algorithms/ modes used for encryption and authentication. The CP provides both a minimum threshold and an objective threshold. As part of the certification process, the cryptographic algorithms/implementations used in the component must be verified, either as part of a Federal Information Processing Standard (FIPS) 140/ACVP module or National Information Assurance Partnership (NIAP) testing. It’s generally more cost-effective to do it as part of a FIPS module. Both FIPS and NIAP require various self-tests and known-answers test to be completed during cryptographic module initialization/power-on and before use, which may guide where the cryptographic validation occurs.

The path to CSfC For a component to be added to the CSfC components list, it’s necessary to undertake a certification effort, similar to Type-1 solutions. Generally, certification

Once a component has been added to the approved products list, it is usable by a trusted integrator as part of a CSfC solution. Trusted integrators also must be registered and accredited with the NSA; the integrators’ accreditation process is like the components themselves. It should be noted that a product generally cannot be added to the approved products list until, at a minimum, it has entered formal test with NIAP. The certification for a component is valid for two years before needing maintenance. After a component enters the maintenance window, the certification can be renewed before it must be restarted from “ground zero.” Additionally, non-security-relevant

NIAP - Protection Profile for Application Software 1.3 NIAP - Module for File Encryption 1.0

Security Target

Target of Evaluation (TOE)

Formal Evaluation

Component Registration

NSA - CSfC Capabilities Package 5.0 Documentation

Component Software

Artifacts

Platform Hardware

Figure 1 | Component certification – file encryption. www.militaryembedded.com

MILITARY EMBEDDED SYSTEMS

March 2021

MIL TECH TRENDS

Certifying COTS hardware and software

changes such as the addition of additional processors and some hardware/operating system (OS)-level changes can be made by updating the NIAP certificates without requiring additional formal evaluation. These are so-called “vendor affirmed” changes and are required to be non-security-relevant. In the event that security-relevant changes are required, a delta-certification and update process must be used. Integrating CSfC components An approved CSfC system uses two different components in one the approved configurations (Figure 2). In order to have an approved CSfC solution, the use of a trusted integrator who integrates both layers of the CSfC solution is required. One of the more subtle points of this integration is providing a level of interaction and integration with both components specifically related to providing the authorization factors for both layers. The authorization factors enable an authorized user of the system to “unlock” the encryption key(s) for each layer. Each layer or component must use a unique authorization factor, making integration challenging for most situations or environments. File Encryption

File Encryption

Software Full Disk Encryption

Platform Encryption

Hardware Full Disk Encryption

Software Full Disk Encryption

Hardware Full Disk Encryption

Figure 2 | Approved configurations.

Depending on how the data at rest solutions are used, this level of integration may be required to occur in a preboot environment. Some of the specific requirements in the Authorization and Authentication protection profile, specifically for software full disk encryption, implicitly assume this scenario. What’s the story? Let’s look at some common questions: 1. Can an open source solution be certiﬁed? Nothing in the protection profiles or the NSA capability package prohibits it. In fact, most of the data at rest or data in transit solutions are based on open source software with modifications to meet the protection profiles and CP. The real hurdle is the cost of accreditation and needing to address very specific requirements which can be a challenge for non-purpose-built solutions.

AS 9100D / ISO 9001:2015 CERTIFIED

PHALANX II: THE ULTIMATE NAS

THE

Supports AES-256 and FIPS140-2 encryption

The McHale Report, by mil-embedded.com Editorial Director John McHale, covers technology and procurement trends in the defense electronics community.

Utilizing two removable SSDs, the Phalanx II is a rugged Small Form Factor (SSF) Network Attached Storage (NAS) file server designed for manned and unmanned airborne, undersea and ground mobile applications. w w w . p h e n x i n t . c o m

ARCHIVED MCHALE REPORTS AVAILABLE AT:

https://militaryembedded.com/newsletters/the-mchale-report

28 March 2021

MILITARY EMBEDDED SYSTEMS

PHX_OSP_3.375_4.875.indd 1

www.militaryembedded.com 1/22/18 11:36 AM

2. When do components get added to the approved components list? Components are eligible to be added to the approved components list after they have entered formal testing and pending award of the final certification documents. 3. What is the timeline for achieving CSfC? Assuming no new development or tailoring at the component level, it would be three to six months depending on the lab’s experience with the specific protection profiles and solution space. It should be expected to take from one to six months for integration of the individual components, mostly dependent on the vendor and the complexity of the integration effort. 4. Do you have to certify a purpose-built solution? No. Pre-existing, non-purpose-built components that met or exceeded the protection profile requirements can be certified; however, that does alter the way certain operations are performed, and it may take a bit of back-and-forth with the certifying

lab to find a solution that meets the protection profile requirements while not reducing the overall security of the components. The protection profiles assume particular use cases/scenarios, making it challenging to meet all requirements (to the letter of the protection profiles) without purpose-built solutions. Certification update Two components of the Wind River Titanium Security Suite for Linux, developed by Wind River’s technology protection and cybersecurity group Star Lab, are currently undergoing NIAP accreditation for use in general-purpose data at rest scenarios: FortiFS file-based data at rest encryption, and FortiFDE (software) full disk encryption (including authorization and authentication). FortiFS and FortiFDE are not intended to be used together to provide both CSfC layers of protection; however, there is some precedent for similar solutions from the same vendor being used together (such is the case with the solution Curtiss-Wright has developed and certified). The solutions are intended to provide programs different Linux-based options for meeting their CSfC data at rest requirements. Both components within the Wind River Titanium Security Suite are on track to be added to the NSA CSfC component list during 2021. MES Jonathan Kline is a Principal Architect and Solutions Engineer at Wind River’s Cybersecurity and Technology Protection Group, Star Lab. Jonathan has 20+ years’ experience with offensive and defensive security (including vulnerability assessments, kernel and hypervisor development on Linux/Unix/VxWorks, trusted boot systems, and the development of software protection/anti-reverseengineering capabilities) across a broad range of platforms. Star Lab, a Wind River company • https://www.starlab.io/

Accelerating Avionics Design & Testing through FACE Conformance Sponsored by AdaCore, Boeing, CoreAVI, Presagis, and RTI

This webcast will feature a presentation of a Future Airborne Capability Environment (FACE) Technical Standard Edition 2.1-aligned avionics Flight Deck integrated with these technologies: Boeing Geospatial Embedded Mapping Software (GEMS), Boeing User Experience Flight Deck framework, U.S. Army CCDC AvMC Crew Mission Systems (CMS) User Applications/UoPs, AdaCore GNAT Pro Ada Development Environment, CoreAVI Vulkan-based graphics and compute drivers and temp-screened AMD E9171 GPU, Presagis ARINC-661 Cockpit Display System, and RTI FACE-conformant Transport Services Segment (TSS) based on RTI Connext DDS. Watch the webcast: https://bit.ly/304optA

WATCH MORE WEBCASTS:

https://militaryembedded.com/webcasts/ www.militaryembedded.com

MILITARY EMBEDDED SYSTEMS

March 2021

INDUSTRY SPOTLIGHT

FACE combats existential threats Title to advance global Title By John McHale, Editorial Director in competitiveness By John McHale, Editorial Director airborne systems

Military avionics and the FACE technical standard

caption The UH-60 Black Hawk helicopter, one of the widely used platforms that received avionics upgrades under the FACE environment.

abstract abstract

Gone are the days where the United States could tower over all adversaries with unmatched technology projecting global power. Today, our near-peer adversaries can procure and build competitive, if not dominant, systems and capabilities that challenge our best weapons and defense systems.

As the costs of creating advanced avionics software continue to increase and program funding continues to be constrained, a new business and acquisition approach along with a new technology foundation needs to be adopted to maintain competitiveness with near-peer adversaries; in short, everything The must change. To meet this challenge, the government and defense/ aerospace industry have joined forces to create the Future Airborne Capability Environment (FACE), which redefines the landscape for developing, procuring, integrating, and maintaining next-generation military avionics platforms.

Historically, the U.S. has built manned aircraft platforms with both a single mission purpose and prime contractor and a fixed set of suppliers. Modifications to these systems had long lead times coupled with high change costs. Regardless, this approach worked well in a world where the number of aircraft types was constrained and the cost of aircraft was modest when compared to the cost of aircraft today. But in our new era of unmanned systems and relatively high airframe costs, this way forward is no longer feasible, especially with multiple near-peer adversaries emerging and evolving faster than we can innovate. This challenge is exacerbated by tightening military budgets and our equipment moving to unmanned, robotic, and autonomous platforms that drive both software and system complexity higher.

By Chip Downing

30 March 2021

MOSA to the rescue How to compete in this new environment? There are many vectors we can traverse to change this situation, but one vector that has proven to be successful is to build a new procurement and technology approach that creates system capability agility, coupled with a procurement process that does not need to flow through a platform prime contractor. The U.S. military has now fully embraced a Modular Open Systems Approach (MOSA) that opens up systems and platforms to enable the rapid insertion of the

MILITARY EMBEDDED SYSTEMS

www.militaryembedded.com

Figure 1 | The five segments of the FACE Reference Architecture.

best-of-breed technology from a supply chain that supports both legacy defense and new innovative companies. MOSA is based upon standards, with one of the most successful to date being the work of the Future Airborne Capability Environment (FACE) Consortium, a group actively managed by The Open Group standards organization. This consortium – consisting of more than 100 government, industry, and academia members – has created both a technology standard and business approach.

2. Input/Output Services Segment (IOSS): The IOSS is where normalization of vendor-supplied interface hardware device drivers occurs. IOSS UoCs provide the abstraction of the interface hardware and drivers from the PSSS UoCs. This allows the PSSS UoCs to focus on the interface data and not the hardware and driver specifics. 3. Platform-Specific Services Segment (PSSS): The PSSS is comprised of subsegments available in a given airborne platform, including Platform-Specific Device Services, Platform-Specific Common Services, and Platform-Specific Graphics Services. 4. Transport Services Segment (TSS): The TSS is comprised of communication services. The TSS abstracts transport mechanisms and data access from software components facilitating integration into disparate architectures and platforms using different transports. 5. Portable Components Segment (PCS): The PCS is the application layer and is comprised of software components providing capabilities and/or business logic. PCS components are intended to remain agnostic from hardware and sensors and are not tied to any data transport or operating system implementations, meeting the objectives of portability and interoperability.

The FACE Technical Standard is based upon a layered architecture. The FACE Reference Architecture defines a set of standardized interfaces providing connections between the five FACE architectural segments (Figure 1). These interfaces are:

Government/industry adoption The FACE Consortium has existed for more than ten years, has refined its suite of standards to production quality, and is now using the third generation of the FACE Technical Standard, Version 3.1, in multiple programs. Due to the many airborne programs the U.S. Army is fielding for existing aircraft – Future Attack Reconnaissance Aircraft (FARA) and Future Long-Range Assault Aircraft (FLRAA) – the Army is leading this open standards transition by specifying FACE standards and other MOSA standards in new and modified avionics designs. This strategy enables the U.S. Army to leverage the work that is being performed today in modernizing existing platforms: This work can be easily migrated over to Future Attack and Reconnaissance Aircraft (FARA) and Future Long Range Assault Aircraft (FLRAA) platforms as they become part of the fleet.

1. Operating System Segment (OSS): The OSS is where foundational system services and vendor-supplied software reside. An OSS UoC [unit of conformance] provides and controls access to the computing platform.

In a parallel track, the armed services have also moved military-airworthiness certifications to adopt the RTCA DO-178C avionics software safety standard proven in hundreds of commercial aircraft. This move produced an unexpected efficiency by creating commercial-off-the-shelf (COTS) certification evidence that can be used in multiple programs and platforms, minimizing the cost for each program. This stands in contrast to the legacy approach of creating safety artifacts for a single platform

www.militaryembedded.com

MILITARY EMBEDDED SYSTEMS

March 2021

INDUSTRY SPOTLIGHT

Military avionics and the FACE technical standard

with one program absorbing all of the costs. The FACE approach, therefore, creates technology-leading software that can be more readily deployed and can also use COTS safety certification evidence proven on other platforms that accelerates time to airworthiness and deployment. The FACE layered architecture can be directly mapped to industry partners delivering not only FACE Certified Conformant software but also COTS certification evidence, as depicted in Figure 2.

Figure 2 | FACE-certified conformant suppliers with DO-178C certification evidence.

Complete descriptions of each FACE Certified Conformant product can be found in the FACE Registry at https:// www.facesoftware.org/. Because this list of FACE Certified Conformant products changes often, it’s best to check it before making software decisions. Now military avionics designers can procure FACE software products from an open market and may also procure relevant safety evidence. The availability of having both companion products is driving a new marketplace that lowers the cost of acquisition and accelerates the time to airworthiness and deployment. FACE acceleration In today’s world – which has a growing number of near-peer adversaries – maintaining strategic dominance requires a focused effort by both the government and industry that requires all parties to adapt and evolve to meet new challenges head-on. Adopting MOSA and deploying the FACE Technical Standard and business approach has proven to accelerate the inclusion of the latest airborne innovations. In addition, these moves are creating a parallel market for COTS certification evidence that removes program risk and accelerates time-to-airworthiness and deployment. MES Chip Downing is the senior market development director of Aerospace and Defense at Real-Time Innovations (RTI). In this position he manages RTI’s global aerospace and defense business. Downing currently serves as chair of the FACE Consortium Business Working Group Outreach Subcommittee and serves as the VP/Ecosystem of the DDS Foundation. He previously served as senior director of Aerospace & Defense at Wind River Systems, and has led organizations at Esterel Technologies (now Ansys), Validated Software, OnCore Systems, and Mentor Graphics (now Siemens). Real-Time Innovations (RTI) https://www.rti.com/en/

32 March 2021

MILITARY EMBEDDED SYSTEMS

www.militaryembedded.com

INDUSTRY SPOTLIGHT

Making software FACE-conformant and fully portable: Coding guidance for Ada By Benjamin M. Brosgol The FACE [Future Airborne Capability Environment] approach to reducing life cycle costs for the military is based on reusing software components across different platforms and airborne systems. The FACE Technical Standard addresses this issue through a reference architecture and data model, well-defined interfaces, and widely used underlying industry standards (IDL, Posix, ARINC-653).

34 March 2021

Military avionics and the FACE technical standard

Conformance with the FACE [Future Airborne Capability Environment] requirements is a necessary condition for reuse and software portability, but full sourcecode portability means more than using a common set of interfaces. In order for a FACE-conformant software component – known as a Unit of Conformance or UoC – to be fully portable, it should have equivalent behavior across different platforms and/or compiler implementations. However, each of the programming languages called out in the FACE Technical Standard – C, C++, Ada, and Java – has features whose effect may depend on the compiler implementation or target platform. Writing a fully portable UoC in any of these languages involves avoiding the potential implementation dependencies. Where full portability is not possible, for example if there are intrinsic target dependencies, the software structure should encapsulate such dependencies. Ada has strong advantages to FACE UoC developers in terms of software engineering support and program reliability, and it was designed to facilitate the development of fully portable code, but even Ada has features with implementation dependencies. This article shows how application developers can use Ada or its formally analyzable SPARK subset to achieve full portability of FACE UoCs, in particular for the Safety or Security capability sets / profiles defined in the FACE Technical Standard.

MILITARY EMBEDDED SYSTEMS

www.militaryembedded.com

timing constraints are essential – since missing a deadline may mean that the program fails to meet its requirements.) In practice, however, several impediments may interfere with functional portability. These can include: Using language features that are either nonstandard (i.e., unique to a specific compiler vendor), or else are standard but optional and not implemented by all compilers; using standard language features with imprecisely defined semantics; and dependence on characteristics of the target platform. The following will offer guidance for Ada functional portability, covering both Ada 95 and Ada 2012, with a focus on features allowed by the Security and Safety capability sets of the FACE Technical Standard Edition 3.0 or later. Where applicable, the guidance shows how the SPARK Ada subset can be used to mitigate potential nonportabilities. (Here, the language name “Ada” refers to both Ada 95 and Ada 2012 unless indicated otherwise.) This guidance is not an exhaustive list; the Ada reference manual is the definitive source of information on which features can have implementation-dependent effects. Language extensions To prevent vendor “lock-in” from nonstandard extensions, the certification policy for Ada compilers has included a “no supersets” directive from the outset. That policy, however, has always recognized the utility of vendor-specific functionality provided that no new syntax is introduced, and thus allows certain kinds of language extensions; in particular, implementation-defined libraries, pragmas, attributes, arguments to pragma Restrictions, and (for Ada 2012) aspects. The FACE Safety-Extended and Safety-Base & Security capability sets impose a few restrictions in this area but do not otherwise restrict such language extensions. To facilitate portability, the use of implementation-defined language extensions should be minimized. Ada 2012 has explicit support for enforcing the absence of implementation-defined extensions, through arguments to pragma Restrictions; for example, No_Implementation_Pragmas and No_Implementation_Units.

Functional portability Portability, or what will be called functional portability here to distinguish it from portability in the sense of FACE conformance, has been a goal of programming-language design since the earliest days. Ideally, functional portability means that a source program can be compiled and run on one platform and then, possibly with a different vendor’s compiler, the same program can be successfully compiled and run on either the same platform or a different one and have an equivalent effect. (“Equivalent” informally means that the program has the same external effects except for those resulting from permissible timing differences. A real-time program has a limited concept of which timing differences are permissible – i.e., some of its www.militaryembedded.com

Optional features Another impediment to functional portability is to use a standard feature that is not supported by all compilers. The certification policy for Ada addresses this issue by prohibiting subsets: every Ada compiler must implement the full language. Nevertheless, the revision process that led to Ada 95 recognized that particular domains have specialized (and sometimes conflicting) requirements, and a number of annexes (the “Specialized Needs” Annexes) are therefore optional with respect to compiler certification. A compiler has to implement the full “core” language, including the predefined environment (standard library) and the interlanguage interfacing facilities, but the Systems Programming, Real-Time Systems, Distributed Systems, Numerics, Information Systems, and Safety and Security Annexes are optional. In practice this optionality has not been an issue, since the most commonly used annexes – Systems Programming and Real-Time Systems – are supported by the vendors in the Ada ecosystem. Moreover, the FACE Safety and Security capability sets for Ada prohibit the Distributed Systems, Numerics, and Information Systems Annexes, so their optionality is not relevant to functional portability. Nevertheless, the Systems Programming and Real-Time Annexes raise a few issues that might affect FACE UoC developers: Some of the services defined in these annexes and permitted by the FACE Safety and Security capability sets are intrinsically system-dependent (for example, interrupt handling) and thus will require revision on porting to a different execution environment. Designing the application to encapsulate such dependencies will ease the porting effort.

MILITARY EMBEDDED SYSTEMS

March 2021

INDUSTRY SPOTLIGHT

Military avionics and the FACE technical standard

The FACE Safety and Security capability sets significantly restrict the functionality supplied by these annexes. The UoC developer will need to demonstrate, through static analysis or code review/inspection, that prohibited features in these annexes are not used. Guidance for features with implementation-dependent semantics Functional portability requires well-defined semantics, so that a source program has an equivalent effect on each platform where it is compiled. In practice, however, there is sometimes a tradeoff between precisely defined semantics and efficient run-time performance. Since efficiency is typically a critical requirement for programmers, language standards (including Ada) contain features whose effect may vary across different implementations. Order of evaluation in expressions To facilitate optimization, Ada does not specify the order of evaluation of the terms comprising an arithmetic expression, but in some cases the effect depends on the order that the compiler chooses. One way to mitigate this issue is to identify potentially problematic instances (by inspection or static analysis) and make the order deterministic by rewriting the expression as a sequence of assignment statements that compute the intermediate results. Alternatively, the potential nonportability can be eliminated completely by using the SPARK Ada subset: restrictions such as the prohibition of side effects in functions ensure that the value of an expression is the same, regardless of the compiler’s choice of evaluation order. Parameter passing Formal parameters to a subprogram in Ada are specified in terms of the direction of data flow: “in,” from the caller to the called subprogram “out,” from the called subprogram back to the caller when the subprogram returns “in out,” from the caller to the called subprogram, and then from the called subprogram back to the caller when the subprogram returns The compiler chooses whether a parameter is passed by copy or by reference. For certain classes of types – in particular, scalar types and access types (“pointers”) – the semantics of parameter passing is by copy. For some other classes of types the semantics is by reference. But for types that do not fall into these categories, the compiler can choose either strategy, generally using the type’s object size as the criterion. If the size of each object is smaller than some threshold value, then by copy is used, otherwise it will be by reference. The potential functional portability issue is that the effect of the subprogram may depend on the compiler’s choice. This can occur through “aliasing” (e.g., a global variable is passed as a parameter to, and is also assigned from, the subprogram) or exception handling (a formal “out” or “in out” parameter is assigned from the subprogram, but an exception is propagated before the subprogram returns). These implementation-dependent effects can be mitigated in several ways. The aliasing issue can be avoided by ensuring that a global variable is not passed as a parameter to a subprogram that can assign to the variable. Violations can be detected by code review/inspection or static analysis tools and are prevented in SPARK (which prohibits such aliasing). The exception propagation issue can be avoided by appropriate programming style: deferring any assignment to the formal parameter until after it can be assured that exception propagation will not occur. This issue is completely avoided with SPARK,

36 March 2021

MILITARY EMBEDDED SYSTEMS

since the proof tools can demonstrate the absence of run-time exceptions. References to uninitialized variables The Ada language enables variables to be declared without initialization. Requiring initialization universally would be problematic: A sensible initial value might not exist, or the program logic might require initialization to be supplied by an external input at system startup. More subtly, default initialization can lead to a hard-to-detect programming error where a variable that needs to be explicitly initialized is referenced prematurely, yielding the default initialization that is valid for the variable’s type but incorrect. Referencing a variable before it has been initialized is a programming error. In the absence of a guaranteed value, the Ada semantics leave the effect of such a reference undefined. Ensuring that variables are initialized before being referenced is outside the scope of the restrictions in the FACE Safety and Security capability sets, and thus needs to be enforced through other means. Several Ada language features can help: Some types require a default initialization. In particular when an access value (pointer) is declared without an explicit initialization, it will be set to the special value null. An attempt to dereference the null value raises an exception The programmer can define default initial values for record fields In Ada 2012 any scalar type can define a default initial value In practice, references to uninitialized variables for other types are detected in many instances by the Ada compiler, especially at higher optimization levels where sophisticated flow analysis is used. Static-analysis tools can also address this issue while minimizing “false alarms.” And as with all the other potential nonportabilities discussed in this section, references to uninitialized variables are completely prevented in SPARK since they will be detected by the SPARK proof tools. www.militaryembedded.com

NAVIGATE ...

THROUGH ALL PARTS OF THE DESIGN PROCESS

TECHNOLOGY, TRENDS, AND PRODUCTS DRIVING THE DESIGN PROCESS Military Embedded Systems focuses on embedded electronics – hardware and software – for military applications through technical coverage of all parts of the design process. The website, Resource Guide, e-mags, newsletters, podcasts, webcasts, and print editions provide insight on embedded tools and strategies including technology insertion, obsolescence management, standards adoption, and many other military-specific technical subjects. Coverage areas include the latest innovative products, technology, and market trends driving military embedded applications such as radar, electronic warfare, unmanned systems, cybersecurity, AI and machine learning, avionics, and more. Each issue is full of the information readers need to stay connected to the pulse of embedded militaryembedded.com technology in the military and aerospace industries.

INDUSTRY SPOTLIGHT

Military avionics and the FACE technical standard

Concurrency Ada has a powerful and high-level concurrency model, but in the interest of supporting a wide range of target environments the language enables a number of scheduling policy decisions to be determined by the implementation. This nondeterminism is mitigated by the Ravenscar profile, a simple, deterministic and efficient subset of the Ada tasking features. Both the FACE Safety-Extended and Safety-Base & Security capability sets restrict the Ada tasking facility to the Ravenscar subset and thus avoid the functional portability issues of the full tasking model. (The Ravenscar features are allowed in the Safety capability sets for Ada 95 in Edition 3.0 of the FACE Technical Standard, and for both Ada 95 and Ada 2012 in Edition 3.1.) The Ravenscar subset is supported by SPARK, and thus a SPARK program will avoid the nondeterminism of the full Ada tasking model.

Dawn Single Slot OpenVPX Development

Backplanes

The Dawn family of one-slot OpenVPX test station and development backplanes gives engineers the ability to perform compatibility tests and easily reconfigure payload module profiles and slot interoperability to meet custom requirements. Highly useful as stand alone or in combination with other backplanes, with or without RTM connectors. Multiple units can be topology wired using MERITEC VPX Plus cables. Available 3U and 6U in VITA 65, VITA 67.1, VITA 67.2, VITA 67.3, Nano-RF, SOSA-aligned and Power Supply slot profiles. Custom configurations available. Rugged, Reliable and Ready.

You need it right. You want Dawn.

(510) 657-4444 dawnvme.com 38 March 2021

MILITARY EMBEDDED SYSTEMS

Writing fully portable code requires not only FACE conformance but also functional portability. That means following appropriate usage patterns, especially for features whose semantics are not completely defined by the language standard. Elaboration order An Ada program typically consists of a main subprogram together with the modules (“packages”) that the main subprogram depends on, directly or indirectly. Program execution first executes run-time code in the various dependent packages (for example to initialize global data) – known as “package elaboration” – then invokes the main subprogram. The order in which the packages are elaborated is partially constrained by language semantics but is generally implementationdependent, with different orders possibly yielding different results. Implementation dependence is intrinsic to the language semantics, since any attempt to completely specify the elaboration order would also prohibit useful cases such as interdependent packages. Several techniques can help ensure portability: Add appropriate pragmas to constrain the elaboration order (see Figure 1 for an example) or Avoid elaboration-time code in the dependent packages by moving all such code into procedures that are explicitly invoked at the start of the main subprogram Elaboration order nondeterminism can also be avoided by using SPARK, since the SPARK restrictions ensure that all elaboration orders have the same effect. Guidance for target dependencies System.* package hierarchy and representation clauses: Although low-level programming involves accessing targetspecific characteristics, Ada helps to mitigate the nonportability through standard www.militaryembedded.com

Figure 2 | Portable numeric type.

ranges/precisions. This situation can cause functional portability issues if the programmer implicitly assumes that a type such as Integer always has some minimum range; an arithmetic expression may overflow and raise an exception when the code is ported to a platform where Integer has a narrower range. The potential nonportability can be avoided by declaring custom numeric types instead of using the predefined types. Figure 2 shows an example. Follow usage patterns Writing fully portable code requires not only FACE conformance but also functional portability. That means following appropriate usage patterns, especially for features whose semantics are not completely defined by the language standard. Figure 1 | Elaboration order.

language features. The package System declares a type Address and associated operations, and the child packages System.Storage_Elements and System. Address_To_Access_Conversions offer standard facilities for dealing with “raw storage” and for treating a pointer as a physical address or vice versa. Representation clauses allow the program to define low-level properties of program entities, such as the layout of a record or the address of a variable. These features are permitted by the FACE Safety and Security capability sets. Although their usage is platform-specific, encapsulating such code in the bodies of packages will localize and help minimize the adaptation needed when porting the code to a new target platform. Numeric type representation: The predefined numeric types in Ada (Integer, Float, etc.) have implementation-defined www.militaryembedded.com

Ada is, in general, a language with strong support for functional portability, and over the years system modernizations have successfully ported large Ada programs to new hardware and new compiler implementations. Nonetheless, functional portability does not come automatically, it must be planned for; developers should either avoid language features that are implementation-dependent or else take appropriate mitigation measures. This is especially important for applications that need to adhere to one of the FACE Safety and Security capability sets/profiles. Such applications have strong assurance requirements, which are difficult to demonstrate if the code uses language features that are not precisely defined. The SPARK subset of Ada is particularly relevant, since the SPARK language restrictions ensure deterministic semantics. In brief, adopting appropriate stylistic conventions for Ada (most of which can be enforced by static analysis tools such as AdaCore’s CodePeer or GNATcheck) or using SPARK can help developers achieve full portability for their FACE-conformant software while also realizing the assurance benefits that Ada and SPARK bring. MES Dr. Benjamin Brosgol is a senior member of the technical staff at AdaCore. He has been involved with programming language design and implementation throughout his career, concentrating on languages and technologies for high-assurance systems with a focus on Ada and safety certification (DO-178B/C). Dr. Brosgol is Vice Chair of The Open Group FACE Consortium’s Technical Working Group. Readers may reach him at brosgol@adacore.com. AdaCore • www.adacore.com

MILITARY EMBEDDED SYSTEMS

March 2021

INDUSTRY SPOTLIGHT

Virtualization: A FACE lift for vehicle control By Will Keegan

As a testament to the celebrated success of FACE (Future Airborne Capability Environment), mandatory conformance requirements for mission-system software have flowed down for nearly every applicable military program since the publication of FACE 2.0. But even as FACE informs and guides all aspects of software design for tactical mission systems (communications, flight control, flight map and planning, cockpit displays, etc.), the world of vehicle control harbors reservations about FACE adoption. The imperative to deliver safety critical, hard real-time control systems has raised concerns about technical feasibility impeded by the complexities inherent to the FACE multicore Operating System Segment (OSS).

40 March 2021

Military avionics and the FACE technical standard

Recent experience in working with vehicle-control projects – particularly those based on multicore processors – has proven the use of CPU virtualization as a powerful tool that compliments operating systems in resolving integration conflicts between software components with platform requirements that differ greatly in terms of API [application programming interface] compatibility and architectural assumptions. The Future Airborne Capability Environment (FACE) standard views virtualization as primarily a hardware-consolidation tool. But as the world presses forward in the development of unmanned vehicles, the need to integrate vehicle-control and mission-system computing will become mandatory and the concerns more pertinent. Given its capacity to deliver on core FACE principles where hard real-time control is essential, virtualization deserves further consideration. The vision of FACE For many years, military systems have largely been based upon proprietary applications, middleware, operating systems, and/or hardware. This situation resulted in problems that included long lead times, high costs, and few opportunities to reuse existing technologies. Putting system modifications out to competitive tender has been impossible because the only suppliers equipped to make changes have been the suppliers of the original system. The FACE Consortium – a partnership between industry suppliers, government experts, academia, and customers – was formed to address those issues. Standardizing approaches for using open standards within military avionics systems promised to lower implementation costs, accelerate development, ensure robust architecture and consistently high-quality software implementation, and maximize opportunities for reuse.

MILITARY EMBEDDED SYSTEMS

www.militaryembedded.com

Figure 1 | Example FACE configuration with CPU virtualization-assisted hardware partitioning segment.

adopted in the IT world, the underlying hardware has features that are just as appealing to embedded engineers concerned with robustness and predictability. Virtualization in avionics systems Many of the benefits of multicore virtualization in embedded avionics systems are well documented. The ability to consolidate multiple legacy single-board computers (SBCs) with various operating systems and applications into a single, multicore, virtualized SBC is widely acknowledged to be the most tangible benefit to next-generation avionics. However, the capacity of CPU virtualization and hypervisors to provide benefits relating to real-time performance, software composability, and architectural robustness are less well-known to the veteran embedded software community. The following sections discuss these benefits as applied within the context of the FACE reference architecture: Dedicated partitioning segment, simplifying space for real time, and increasing portability and reuse. Dedicated partitioning segment Over the last ten years, there have been considerable advances in the ability to run multiple operating systems on a single processor through CPU virtualization. While popularized and universally www.militaryembedded.com

In traditional platform software design, each processor hosts a single operating system (OS) kernel that is responsible for managing memory allocation, execution scheduling, interrupt routing, exception handling, peripheral control, and bus multiplexing. Now, virtualization-enabled multicore hardware is now capable of accommodating many kernels, with each kernel allocated subsets of resources of varying types and sizes. Multiple independent software runtimes can therefore be implemented on a single device without the interference of a common kernel and consequentially common mode failure hazards. Such capabilities enhance fundamental architectural properties relating to safety and security concerns. From a security perspective, the use of built-in CPU virtualization features to isolate hardware-security functions, and separate application-runtime services from hardware control interfaces, goes a long way to assure system robustness. Such design techniques eliminate commonly exploited threat vectors that result in security-policy bypass, privilege escalation, and loss of CPU control altogether. From a safety perspective, upholding threshold design principles – predictability, integrity, and high availability – is greatly aided using virtualization partitioning features such as: DMA channel isolation Shared last-level cache partitioning Memory bus bandwidth allocation Independent interrupt, event, and exception handling The ability for software partitions to be fortified and controlled with greater fidelity at hardware levels aligns with FACE ideals. The diagram shown in Figure 1 introduces the notion of a “Hardware Partitioning Segment” fulfilled by a hypervisor to the FACE reference architecture. The depiction shows a hypervisor isolating two sets of software on two different CPU cores. Each set is configured with FACE-conformant

MILITARY EMBEDDED SYSTEMS

March 2021

INDUSTRY SPOTLIGHT

Military avionics and the FACE technical standard

components. Each set of software is granted greater partitioning properties over a single OS-hosted design where the device drivers and internal service are separated. Simplifying space for real time Adding yet another segment into FACE would be a significant undertaking. Introducing another class of technology and layer of software beneath an OS may seem counterproductive to real-time and safety-conscious developers wary of complexity. But the hardware partitioning and multiplexing capabilities presented by CPU virtualization presents the opportunity to encapsulate and map subsets of runtime features for critical tasks on a processor that is simultaneously hosting applications with inherently richer runtime and service dependencies. For example, suppose a vehicle-control health-monitor application, such as a highfrequency majority-voting CBIT [continuous built-in test] needed for TMR [triplemodular redundancy] error detection must run alongside a flight-planning application on a multicore processor. Using a hypervisor-based solution rather than implementing both applications concurrently on the same OS sharing the same network stack and kernel, the health-monitor application (shown in Figure 2) can be: Mapped to a separate CPU core Mapped to a separate Ethernet MAC Run according to an independent thread-scheduling algorithm Isolated from orthogonal interrupts and blocking semaphores Isolated from DMA and OS kernel memory-access errors Run on an optimized, minimalistic POSIX-compliant runtime environment The result is an ideal scenario for a real-time programmer looking to simplify analysis of worst-case execution time (WCET). Yet at the line-replaceable unit (LRU) level, the platform retains the ability to host applications with richer Transport Services Segment (TSS) and Operating System Segment (OSS) capability requirements that are less concerned about timing and integrity hazards. Portability and reuse Military programs are often stuck with board-support package (BSP) non-recurring engineering (NRE) costs that could be avoided if internal platform software were more

portable. Low-level code modules (particularly drivers) are notoriously problematic in providing valued properties of reuse and interoperability.

Recent experience on vehicle-control subsystems has proven virtualization as a means to reduce platform software complexity carving out low-level hardware-control access while providing the wellappreciated architectural benefits of partitioning and interoperability interfaces. Standardizing OS internal kernel interfaces is impractical due to their unique design and (in many cases) proprietary nature. However, several classes of device drivers that are naturally independent from core services and require minimal OS feature support (such as the file system) can be isolated by a hypervisor and integrated with applications over standard inter-process communication (IPC) interfaces. It is demonstrable that devices can be controlled independently from operating systems and integrated with other components without embedding proprietary OS dependencies. Consider an OpenGL UA application that simply needs drivers with access to the GPU device interface. Another example: A self-contained MIL-STD-1553 service with TSS-compatible I/O interfaces made available to PCS [portable component segment] applications (see Figure 3).

Figure 2 | Example FACE configuration with independent real-time partition.

42 March 2021

MILITARY EMBEDDED SYSTEMS

Instead of relying on OS implementations of resource mapping and IPC transports, the TSS layer and local application runtime software can have sufficient capabilities to locate dependent modules and integrate with the use of standard hypervisor-provided interfaces and www.militaryembedded.com

A58_MilEmbSys_2_125x10.qxp_Layout 1 1/14/21

.18" ht. Size does matter!

SURFACE MOUNT AND PLUG IN

Figure 3 | Example of standalone Units of Conformance (UoCs.

services. Such an approach can even follow the FACE Unit of Conformance (UoC) packaging requirements. This vision is not farfetched, given virtualization standards such as OASIS “VIRTIO” already exist and is well-established. Just as FACE relies on POSIX to uphold standard specifications for the OSS, VIRTIO can similarly support the proposed Hardware Partitioning Segment. Virtualization works for FACE FACE is a resounding success. But to date, the portability and interoperability benefits of FACE have been generally limited to the mission-system software hosted by operating systems above the TSS layer. Exacerbating that situation, the targeting of military avionics towards the development of unmanned systems is likely to see the underlying boundaries of mission system versus vehicle-control computing domains diminish, with the limitations of FACE becoming more of an irritation. To fulfill its charter, FACE must accommodate the needs of vehicle-control software. Recent experience on vehicle-control subsystems has proven virtualization as a means to reduce platform software complexity carving out low-level hardware-control access while providing the well-appreciated architectural benefits of partitioning and interoperability interfaces. Pressing into the standardization of these low-level capabilities can bridge the gap of FACE-compliance feasibility for vehicle-control development without tarnishing the undoubted benefits of existing FACE provisions for missionsystem development. MES In his role as chief technical officer for Lynx Software Technologies, Will Keegan leads the technology direction across all the Lynx product lines. He has been instrumental in the development of key security technologies within Lynx to broaden the reach of the existing products, with a focus on cybersecurity, cryptography, and virtualization. Keegan holds a Bachelor of Science degree in computer science from University of Texas. Lynx Software Technologies • https://www.lynx.com/ www.militaryembedded.com

MILITARY/CRITICAL

APPLICATIONS

QPL UNITS STANDARD

TRANSFORMERS AND INDUCTORS • Audio Transformers • Pulse Transformers • DC-DC Converters • Transformers • MultiPlex Data Bus Transformers • Power & EMI Inductors

VISIT OUR EXCITING NEW WEBSITE with SEARCH WIZARD www.picoelectronics.com

800-431-1064 Electronics, Inc. 143 Sparks Ave. Pelham, N.Y. 10803

info@picoelectronics.com

www.picoelectronics.com MILITARY EMBEDDED SYSTEMS

March 2021

EDITOR’S CHOICE PRODUCTS

SAASM GPS clock designed for defense applications The Orolia mission-critical SecureSync Selective Availability Anti-Spoofing Module (SAASM)-based GPS receiver for military applications is ruggedized and designed with a shock- and vibration-tested chassis, intended to meet MIL-STD-810F, the U.S. military standard that emphasizes tailoring an equipment’s environmental design and test limits to the conditions that it will experience throughout its service life. The base unit is engineered to provide an accurate 1 PPS [pulse per second] timing signal aligned to a 10 MHz frequency signal without any 10 MHz phase discontinuity. An assortment of internal oscillator options is available to fulfill a range of requirements for holdover and phase noise. The modular design is intended to enable a variety of highly specialized time and frequency functions, with users able to add as many as four additional input/output modules to each SecureSync SAASM to tailor it to specific defense needs. Option cards are available to add to configuration of timing signals, including additional 1 PPS or time code (IRIG, ASCII, HaveQuick), frequency outputs (10 MHz, 5 MHz, 2.048 MHz, or 1.544 MHz), telecom T1/E1 data rates, multiport NTP [network time protocol], and PTP [precision time protocol]. The SecureSync SAASM is security-hardened, designed to meet rigorous network security standards and best practices and includes tamperproof management and extensive logging.

Orolia | www.orolia.com

Processor AMC with Layerscape LX2160A released by VadaTech The AMC705 processor AMC (PrAMC) from VadaTech is based on the NXP Layerscape LX2160A in a single-module, full-size AMC [advanced mezzanine card] form factor based on the AMC.1, AMC.2, and AMC.4 specifications. The LX2160A provides 16 Cortex-A72 cores with 8 MByte platform cache and dual 64-bit memory controllers. Additionally, the front panel on the module provides GbE via a RJ-45 connector and 100GbE/40GbE/Quad-10GbE through a QSFP28 connector. The AMC705 is also designed to provide dual 10/1GbE to the rear per AMC.2 specification on Ports 0 and 1. Ports 0 and 1 will aim to support 10G operation, although this is outside the AMC standard (MCH with 10G on ports 0/1 or point to point on backplane is required). The module also has an option for PCIe on port 8-11 and when ports 8-11 are routed, the module could be configured as dual PCIe x4 or single x8. The two 64-bit wide memory banks on the module provide up to 16 GB of DDR4 with ECC [double data rate 4 with error-correction code].

VadaTech | www.vadatech.com

Rad-hard ICs for small sats and space applications Apogee Semiconductor, which makes technologies and products for space and other extreme environments, offers the AP54RHC RadHard Logic Family based on the company’s Transistor-AdjustedLayout for Radiation (TalRad) design methodology. The design is aimed at improving the radiation performance of commercial process technologies, thereby enabling the rapid creation of rad-hard designs in a fraction of the time and effort. The AP54RHC family includes functions such as level translators, majority voters, transceivers, and logic gates. The AP54RHC family of products – built with cold-sparing capabilities and triple-redundant operations – is intended for use in small satellite applications. The products possess a TID resilience of 30 krad (Si) and are single-event latch-up (SEL) hardened up to 80 MeV cm2/mg, encapsulated in a 14-pin TSSOP plastic package. Included in the family of products are the AP54RHC504 5-channel buffer level translator and the AP54RHC505 5-channel level translator with bus hold. These devices are fabricated in a 180 nm CMOS process and operate, as with the entire family of devices, across a full 1.65 V to 5.5 V range providing the system designer flexibility in logic-level interfaces. The -504 and -505 can operate across this range on both of their supply voltage inputs, VCCA and VCCY. In addition, both support “zero-power penalty” cold-sparing, along with Class 2 ESD protection on all inputs and outputs. A proprietary output stage and robust power-on reset (POR) circuit enable the -504 and -505 to be cold-spared in any redundant configuration with no static power loss on any pad of the device. Flight units will be available in 2Q21, and a 300 krad version of the AP54RHC family is expected to be released soon.

Apogee Semiconductor | https://apogeesemi.com 44 March 2021

MILITARY EMBEDDED SYSTEMS

www.militaryembedded.com

EDITOR’S CHOICE PRODUCTS

Space-qualified power converters using COTS can lower risk, cost Microchip Technology has expanded its SA50-120 power converter family with nine new units based on its commercial off-the-shelf (COTS) technology. Using COTS parts means that developers will have access to space-qualified power converters that help to minimize risk and lower development costs. The SA50-120 radiation-hardened DC-to-DC converters – the only standard nonhybrid space-grade DC-DC power converters available – use surface-mount component construction for flexible and customizable specs, according to Microchip. The family of converters is qualified to MIL-STD-461, -883, and -202 for electromagnetic resistance, moisture resistance, and corrosion survivability. The EMI-compliant SA50-120 family – which use 120 V input and give off as much as 56 W of output – are aimed at use in satellite and spacecraft applications. The units use switching regulators that use peak current mode controlled single-ended forward converter topology with inherent single-event immunity and have been tested to eight million hours Mean Time Between Failure (MTBF) and up to 87% efficiency. The units are qualified to 100 krad (Si) total ionizing dose (TID) and single-event effects (SEE) greater than 80 MeV cm2/mg. They also feature synchronization, a transistor-transistor logic (TTL) on/off command signal, plus single-output versions additionally offer remote sense, output voltage adjust, and parallel connection functions.

Microchip Technology | www.microchip.com/

Counter-UAS system uses AI/ML Liteye Systems offers a new counter-unmanned aerial system (cUAS) product, the Liteye SHIELD, that operates across air, ground, surface, and radio frequency (RF) domains using cutting-edge technology required to defend against the rapid technology maturation and proliferation of small UAS threats. The SHIELD melds artificial intelligence (AI) and machine learning (ML) techniques with the newly designed SPYGLASS 3D radar plus electrooptical (EO) and infrared (IR) tracking to increase the speed and confidence of the system. The system’s command and control capabilities additionally ensure that the full detect/track/ID kill chain is automated and conducted at machine speed. The cUAS system operates autonomously, enabling the operator to monitor the environment, manage multiple systems, and then step in for final positive ID and trigger pull to fulfill the mission. Key components in this operation are the 3D radar, the AI-based RF detect, AI target prioritization, and automated video track. The dispersed networked command and control (“Man-on-the-loop” local control) means that the operator can use any console with a distributed common operation picture. The local command and control enables multisensor resource management along with sensor fusion to an intuitive operating system that uses ML principles and 3D targeting for cueing networked effectors. The platform-agnostic, mobile and transportable system is intended for use as air and ground base defense, convoy protection, offensive electronic attack, wildfire protection, space launch protection, and event security.

Liteye Systems | https://liteye.com/

SOSA-aligned 3U Ethernet Switch for low-SWaP computing Interface Concept has introduced the ComEth4412a, a 3U VPX dual-plane hybrid PCIe Gen 3 and 40 Gigabit Ethernet switch, designed in alignment with the Sensor Open Systems Architecture (SOSA) technical standard. This hybrid switch combines two separate switches: The Expansion/Data Plane Switch that is designed to support as many as six 4-lane PCI Express Gen 1/2/3 ports with support for upstream, downstream, and nontransparent modes; and the Control Plane Switch, which is engineered to be a state-of-the-art managed L2+/L3 Ethernet switch capable of supporting as many as 12 Ethernet ports operating at 1, 10, or 40 Gbits/sec. Featuring nonblocking architecture, the ComEth4412a is aimed at handling high-speed and heterogeneous PCI Express and Ethernet data flows in highly integrated low size, weight, and power (SWaP) systems. The board – since it was developed in alignment with the SOSA Technical Standard – is compliant with the SOSA/VITA 65.0 switch profile SLT3-SWH-6F8U-14.4.15. The ComEth4412a is controlled through an intuitive interface available as a command line (CLI) or graphical user interface (GUI), in addition to SNMP. The switch is available in standard, extended, and rugged grades in air-cooled and conduction-cooled versions.

Interface Concept | www.interfaceconcept.com www.militaryembedded.com

MILITARY EMBEDDED SYSTEMS

March 2021

www.militaryembedded.com

CONNECTING WITH MIL EMBEDDED

By Editorial Staff

ThanksUSA

Each issue, the editorial staff of Military Embedded Systems will highlight a different charitable organization that benefits the military, veterans, and their families. We are honored to cover the technology that protects those who protect us every day. To back that up, our parent company – OpenSystems Media – will make a donation to every group we showcase on this page.

This issue we are highlighting ThanksUSA, a 501(c)(3) nonprofit foundation that that provides need-based academic scholarships and pathways to employment for the spouses and children of people serving in the U.S. armed forces. “The mission of ThanksUSA is to provide life-changing opportunities for our military’s children and spouses, increasing their chances at achieving personal and professional goals,” stated Jon Rosa, president and CEO of ThanksUSA.

The organization was launched in 2006 by young sisters Rachel and Kelsi Okun of McLean, Virginia, in honor of a neighbor who had returned from service in Iraq with serious injuries. The girls’ idea began as a national treasure-hunt game based on American history, which encouraged participants to get involved through contributions and activities. Ultimately the organization was named ThanksUSA, short for “Treasure Hunt Aiding Needs of Kids and Spouses of those serving the United States of America.” Since its inception, ThanksUSA has awarded 4,850 scholarships valued at more than $15 million to military families in all 50 states and every branch of the military. One of the major programs is called Pathways for Patriots, which was expanded in January 2021 in response to enhanced need during the COVID-19 pandemic. Among the elements of Pathways for Patriots are monthly Pathfinder sessions in which participants hear from professionals about their career field, obstacles, and lessons learned; peer discussions to address financial, emotional, educational, and career issues with significant focus on solutions; counseling offered by experts with questions submitted through social media; a seminar series focused on career development; and career-enrichment/job-recruitment fairs. For additional information on ThanksUSA, please visit https://www.thanksusa.org/.

WHITE PAPER

PODCAST

Capturing data from ultra-wideband radar systems

In this podcast, host John McHale, Group Editorial Director, talks with Chris Tojeira, Recording Systems Director at Pentek, about ultra-wideband radar systems.

Ultra-wideband radar systems are generating unprecedented amounts of data and require storage systems that can handle the high bandwidth and what can seem like information overload. In their discussion, McHale and Tojeira cover the U.S. Department of Defense (DoD) current ultra-wideband radar requirements, how to capture signal data, the use of PCI Express, the advantages of FPGAs [field-programmable gate arrays], and issues surrounding latency. They also talk about the future of signal recording and Tojeira shares a story about an old Commodore 64 computer from the 1980s. This podcast is sponsored by Aerospace Tech Week, which is slated to take place on June 23-24, 2021 in Toulouse, France. Listen to this podcast: https://bit.ly/2Mz06Ba Listen to more podcasts: https://militaryembedded.com/podcasts

46 March 2021

MILITARY EMBEDDED SYSTEMS

Software Defined Radio Handbook – 14th Edition By Rodger Hosking, Vice President and Cofounder of Pentek Software-defined radio (SDR) has revolutionized electronic systems for a variety of applications, including communications, data acquisition, and signal processing. In order to fully appreciate the benefits of SDR, users need to compare conventional analog receiver and transmitter systems to their digital counterparts, highlighting similarities and differences. This handbook, updated to the 14th edition, explores the inner workings of the SDR, with an in-depth description of the internal structure and the devices used. This handbook shows how digital downconverters (DDCs) and digital upconverters (DUCs), the fundamental building blocks of SDR, can replace legacy analog receiver and transmitter designs while offering significant benefits in performance, density, and cost. Also discussed are actual board- and system-level implementations and available off-the-shelf SDR products and applications based on such products. Read this white paper: https://bit.ly/3dMXElx Read more white papers: https://militaryembedded.com/whitepapers

www.militaryembedded.com

Accelerating Time from Concept to Product More competitors. More demands. More rapidly emerging threats. Analog Devices has a depth of industry and technical expertise that is unmatched. Together with an unrivaled portfolio of RF and microwave solutions, you can now reduce the prototype phase of design by months and get to market faster than you ever thought possible.

Get to market faster at analog.com/ADEF

The Big Thing in

RFSoC is Here. (And it’s only 2.5 inches wide!)

Small

Powerful Deployable

Pentek’s Model 6001 FPGA board lets you quickly develop and deploy RFSoC technology, while optimizing your system for SWaP. Mounted on your custom carrier or Pentek’s proven 3U VPX carrier, the new QuartzXM® comes pre-loaded with a full suite of IP modules, robust software, and fully integrated hardware — all geared to shorten time to market and reduce design risk. And at only 4"x2.5", it can be deployed in extremely compact environments, including aircraft pods, unmanned vehicles, mast-mounted radars and more. • QuartzXM eXpress Module speeds migration to custom form factors • Powerful Zynq® Ultrascale+™ RFSoC with built-in wideband A/Ds, D/As & ARM processors • Dual 100 GigE interfaces for extreme system connectivity • Robust Factory-Installed IP for waveform generation, real-time data acquisition and more • Board Resources include PCIe Gen.3 x8 and 16 GB DDR4 SDRAM • Navigator® Design Suite BSP and FPGA design kit for seamless integration with Xilinx Vivado®

Unleash the Power of the RFSoC. Download the FREE White Paper! www.pentek.com/go/mesrfsoc

All this plus FREE lifetime applications support! ™

Pentek, Inc., One Park Way, Upper Saddle River, NJ 07458 Phone: 201-818-5900 • Fax: 201-818-5904 • email: info@pentek.com • www.pentek.com Worldwide Distribution & Support, Copyright © 2019 Pentek, Inc. Pentek, Quartz, QuartzXM and Navigator are trademarks of Pentek, Inc. Other trademarks are properties of their respective owners.