Military cockpit upgrades embrace open architectures

M a r c h 2 0 1 Volume 8 | Number 2MIL-EMBEDDED.COMAvionics retrofits get do lars in FY 2013Field Inte ligenceRouting dat a the tactical edgeMil Tech InsiderUAVs in co mercial airspacewww.mil-embedded.comON THE COVER:The Black Hawk UH-60M’s upgradedcockpit uses Rockwell Collins avionicsand synthetic vision technology.Photos courtesy of Rockwell Collins.Military cockpitupgrades embraceopen architecturesINCLUDING DEFENSE TECH WIRE John McHaleInterview with Carl Houghton, Vice President,Strategic Initiatives & Advanced Technology at Inte ligent Software SolutionsSee alsoMil Tech Trends on avionicssafety certificationMarch 2012 | Volume 8 | Number 2COLUMNSEditor’s Perspective8 FY 2013 DoD budget request shrinks,but avionics retrofits get dollarsBy John McHaleField Intelligence10 Routing data at the tactical edgeBy Charlotte AdamsMil Tech Insider11 Certifiable avionics takes off as UAVfleet operates in commercial airspaceBy Curtis ReichenfeldDEPARTMENTS12-13 Defense Tech WireBy Sharon Hess44-45 Editor’s Choice ProductsSPECIAL REPORT | Embedded avionics for military aircraft14 New aircraft platforms get cut back, opening the door for avionicsretrofits that leverage COTS hardware and softwareBy John McHaleMIL TECH TRENDS | Transitioning from DO-178B to DO-178C22 DO-178C brings modern technology to safety-critical softwaredevelopmentBy Tim King, DDC-I and Bill StClair, LDRA Technology14EVENTSPublished by:www.opensystemsmedia.com/eventsMAE - Military, Defence & AerospaceElectronics Technical Conference &Exhibition 2012May 22, 2012Royal Berkshire Conference Centre, Reading, UKwww.mae-show.com2012 IEEE Nuclear and Space RadiationEffects ConferenceJuly 16-20, 2012 | Miami, Floridawww.nsrec.comWEB RESOURCESSubscribe to the magazine or E-letterLive industry news | Submit new productshttp://submit.opensystemsmedia.comWhite papers:Read: http://whitepapers.opensystemsmedia.comSubmit: http://submit.opensystemsmedia.comAll registered brands and trademarks within Military Embedded Systemsmagazine are the property of their respective owners.© 2012 OpenSystems Media© 2012 Military Embedded SystemsISSN: Print 1557-32222626 Trusting the tools: An agile approach to tool qualification for DO-178CBy Dr. Benjamin Brosgol and Greg Gicca, AdaCoreINDUSTRY SPOTLIGHT | Software analysis30 Open source clears up the military stovepipe messInterview with Carl Houghton, Vice President,Strategic Initiatives & Advanced Technology atIntelligent Software Solutions34 Symbolic execution techniques identifyvulnerabilities in safety-critical codeBy Paul Anderson, GrammaTech, Inc.38 Automated performance measurementand timing analysis help military embeddedsystems avoid early obsolescenceBy Dr. Andrew Coombes, Rapita Systems@military_cots34www.linkedin.com/groups/Military-Embedded-Systems-18642554 March 2012 MILITARY EMBEDDED SYSTEMS

ADVERTISER INFORMATIONPageAdvertiser/Ad Title36 ACCES I/O Products, Inc. –USB embedded I/O solutions –rugged, industrial strength USB24 AIM-USA – Pioneers in avionicstesting since 19893 Annapolis Micro Systems, Inc. –High performance signal and dataprocessing2 Ballard Technology – The nextbig thing ... is much smaller thanyou’d expect37 Creative Electronic Systems –Safety-critical solutions9 D-TA Systems – Record/playback atrecord breaking speed17 Elma Electronic – Ready for take off21 Excalibur Systems, Inc. – Dragon –it’s not a myth5 Extreme Engineering Solutions –Fully qualified. Application readysystems47 GE Intelligent Platforms, Inc. –Leadership and experience inavionics bus protocols41 General Micro Systems, Inc. –Rugged Computing Systems for OEM42 Innovative Integration – Let ourXMC modules do the talking16 Interface Concept – Switches andIP routers29 LiPPERT Embedded Computers –PC/104-Plus with AMD Fusion31 Microhard Systems, Inc . –Wireless innovation33 Nallatech – FPGA acceleration19 North Atlantic Industries –MIL-STD is the only thing standardabout our power supplies25 Octagon Systems – Computers inmotion48 Pentek, Inc. – Critical recording inany arena31 Phoenix International – Solid as arock and twice as cool15 Sealevel Systems, Inc. –COM Express: The advantage ofcustom – the convenience of COTS39 TeleCommunication Systems, Inc.(TCS) – Extremely rugged for anextreme world43 Trenton Technology Inc. –Reliable inside – rugged outside46 Trenton Technology Inc. –Maximizing compute density whilereducing net system weight7 Wind River Aerospace & DefenseDivision – Innovation is the firstunmanned aircraft that lands at seaMilitary Embedded Systems Editorial/Production StaffJohn McHale, Editorial Directorjmchale@opensystemsmedia.comSharon Hess, Managing Editorsharon_hess@opensystemsmedia.comSales GroupDennis DoyleSenior Account Managerddoyle@opensystemsmedia.comTom VarcieSenior Account Managertvarcie@opensystemsmedia.comRebecca BarkerStrategic Account Managerrbarker@opensystemsmedia.comEric HenryStrategic Account Managerehenry@opensystemsmedia.comAnn JesseStrategic Account Managerajesse@opensystemsmedia.comChristine LongDirector of Online Developmentclong@opensystemsmedia.comMike Demler, Editorial DirectorDSP-FPGA.commdemler@opensystemsmedia.comJoe Pavlat, Editorial DirectorCompactPCI, AdvancedTCA,& MicroTCA Systemsjpavlat@opensystemsmedia.comJerry Gipper, Editorial DirectorVITA Technologiesjgipper@opensystemsmedia.comWarren Webb, Editorial DirectorEmbedded Computing DesignIndustrial Embedded Systemswwebb@opensystemsmedia.comJennifer Hesse, Managing EditorEmbedded Computing DesignIndustrial Embedded Systemsjhesse@opensystemsmedia.comTerri Thorson, Senior Editor (columns)tthorson@opensystemsmedia.comSteph Sweet, Creative Directorssweet@opensystemsmedia.comOpenSystems Media Editorial/Production StaffEditorial/Business OfficePatrick Hopper, PublisherTel: 586-415-6500phopper@opensystemsmedia.comSubscriptionsKaren Layman, Business Managerwww.opensystemsmedia.com/subscriptionsTel: 586-415-6500 n Fax: 586-415-488230233 Jefferson, St. Clair Shores, MI 48082International SalesElvi Lee, Account Manager – Asiaelvi@aceforum.com.twRegional Sales ManagersBarbara Quinlan, Midwest/Southwestbquinlan@opensystemsmedia.comDenis Seger, Southern Californiadseger@opensystemsmedia.comSydele Starr, Northern Californiasstarr@opensystemsmedia.comRon Taylor, East Coast/Mid Atlanticrtaylor@opensystemsmedia.comReprints and PDFsrepublish@opensystemsmedia.comSharon Hess, Managing EditorVITA Technologiessharon_hess@opensystemsmedia.comMonique DeVoe, Assistant Managing EditorPC/104 and Small Form FactorsDSP-FPGA.commdevoe@opensystemsmedia.comBrandon Lewis, Associate EditorCompactPCI, AdvancedTCA,& MicroTCA Systemsblewis@opensystemsmedia.comCurt Schwaderer, Technology EditorSteph Sweet, Creative DirectorDavid Diomede, Art DirectorJoann Toth, Senior DesignerKonrad Witte, Senior Web DeveloperMatt Jones, Web DeveloperRosemary Kristoff, Presidentrkristoff@opensystemsmedia.comWayne Kristoff, CTO16626 E. Avenue of the Fountains, Ste. 201Fountain Hills, AZ 85268Tel: 480-967-5581 n Fax: 480-837-64666 March 2012 MILITARY EMBEDDED SYSTEMS

INNOVATION Is The FIrsT UNmANNed AIrcrAFTThAT LANds AT seA.Northrop Grumman X-47BFirst tailless unmanned aircraft designed forautonomous carrier-based capability.Initial FlightEdwards AFB: 29 minutesFebruary 4, 2011How does the latest breakthrough in unmanned aircraft systems go from concept to carrier deck? With help from Wind River. OurVxWorks real-time operating system was chosen by the innovators at Northrop Grumman Corporation as the software platform fortheir Unmanned Combat Air System-Demonstration (UCAS-D) program and by GE Aviation as the foundation for the Common CoreSystem, the backbone of the UCAS-D computers, networks, and interfacing electronics. Building upon VxWorks’ proven reliability andunmatched performance, project engineers were able to rapidly create, deploy, and maintain safety-critical control systems—all whilereducing development costs and maintaining schedule integrity. Proof that when innovators work together, the sky is hardly the limit.Please visit www.windriver.com/customers to seehow Wind River customers have reached new heights.INNOVATOrs sTArT here.

EDITOR’S PERSPECTIVEFY 2013 DoD budget request shrinks,but avionics retrofits get dollarsBy John McHale, Editorial DirectorTo no one’s surprise, the U.S. Department of Defense (DoD)Fiscal Year 2013 budget request was down over last year’s asthe department was forced by the current economic climateto tighten its belt and streamline military procurement. TheDoD cut back on procurement of major programs such asthe Joint Stroke Fighter (JSF) and increased its funding forretrofits of current aircraft programs such as the Chinook andApache helicopters.DoD requested $525.4 billion overall for FY 2013, down$5.2 billion from FY 2012 enacted numbers. Funding forOverseas Contingency Operations (OCO), including missionsin Afghanistan and Iraq, were funded separately in the FY 2013budget request at $88.5 billion, down $26.6 billion from theFY 2012 enacted level of $115.1 billion.The drop has been expected by military embedded computingsuppliers and, as they forecasted, funding continues and evenincreases in their niche areas such as avionics and unmannedsystems. Below are some highlights of aircraft funding from theFY 2013 request.Overall aircraft funding within the FY 2013 budget requestdropped from $54.2 billion in the FY 2012 budget to $47.6 billionin FY 2013 – with $3.8 billion slotted for Unmanned AerialVehicles (UAVs).Avionics opportunitiesArmy avionics retrofits and upgrades, which leverage a greatdeal of Commercial Off-the-Shelf (COTS) hardware and software,will continue to get funding under the FY 2013 budgetrequest. Army rotorcraft retrofit programs funded in theFY 2013 request include upgrades to the AH-64 Apache,CH-47F Chinook, and UH-60 Black Hawk. Funding for the LightUtility Helicopter (LUH) also is going forward. (For more militaryavionics, see the Special Report on page 14, entitled Newaircraft platforms get cut back, opening the door for avionicsretrofits that leverage COTS hardware and software.)The AH-64 Block 3 program is broken down into remanufacturedand new-build aircraft. The budget request calls for the remanufactureof 40 aircraft and the production of 10 new aircraft inthe AH-64 D Longbow Block 3 configuration. Remanufactureis up from $654 million in FY 2012 to $809 million in FY 2013and new Apache aircraft procurement from $758 million to$1.109 billion in FY 2013. Under the Apache Block 3 program,the Army is adding fire control radar and night vision technology.Chinook funding in FY 2013 also includes digital cockpitupgrades and a digital data bus to enable the Army to add morecommunications and navigation equipment. Within the FY 2013request, the DoD is looking for 25 new Chinook F models and19 remanufactured/Service Life Extension Program aircraft.The FY 2013 request continues support for the UH-60Black Hawk five-year Multiyear Procurement (MYP) contractfor FYs 2012-2016, though it is down slightly to $1.305 billionfrom $1.705 billion in FY 2012. DoD will procure 59 basefunded aircraft – this number is down from 72 in FY 2012.UH-60 variants funded include the Utility UH model and theMedical HH model.Funding for the Light Utility Helicopter program also madeit into the FY 2013 budget request. The LUH will replace theUH-1 and the OH-58 Kiowa Warrior A and C models. TheFY 2013 budget calls for production of 34 helicopters.F-35 and F-22The F-35 JSF program continues to get billions of dollarsin the budget, but the numbers are down from last year asthe program is restructured to save money. F-35 Research,Development, Test, and Evaluation (RDT&E) funding is downslightly from $2.708 billion in 2012 to $2.699 billion in FY 2013.The FY 2013 budget plans for procurement of 29 aircraft –31 were procured in FY 2012. The 29 include four Carriervariants for the Navy, six Short Take-Off Vertical Landingvariants for the Marine Corps, and 19 Conventional Take-Offand Landing variants for the Air Force.Overall funding for the F-22 Raptor program is down from$916 million in FY 2012 to $808 million in FY 2013, which continuesthe fighter’s capability upgrades, which includesIncrement 3.1, calling for electronic attack capability, emitterbasedgeo-location of threat systems, and ground-lookingSynthetic Aperture Radar (SAR) modes. Increment 3.2 willinclude radar electronic protection, Automatic Ground-Collision Avoidance System (AGCAS), and intraflight datalink improvements.UAVsUAV funding for the DoD continues to be important as thedepartment plans to procure 34 Reapers and 19 Gray Eaglesto eventually reach a total 65 Predator and Reaper CombatAir Patrols (CAP)/orbits by FY 2017. RDT&E funding alsoincreased from $971 million in FY 2012 to $1.103 billion inFY 2013 for the RQ-4 Global Hawk program as DoD looks toprocure three Air Force NATO Alliance Ground Surveillance(AGS) aircraft, payloads, and integrated logistics support forthe three aircraft.John McHalejmchale@opensystemsmedia.com8 March 2012 MILITARY EMBEDDED SYSTEMS

Record/Playback @ Record Breaking Speed...D-TA’S 10 GIGABIT SENSOR PROCESSING (10 GSP) implementation has revolutionized sensorprocessing by offering limitless scalability that allows the throughput rate to increase linearlyas more networks (fibers) are added, and totally synchronized operation that ensures the datais precisely time synchronized across all fibers, irrespective of the number of fibers.Record/Playback @ over800 MBytes/s with 1 fiberCompact1U SolutionD-TA (or 3 rd party product)1 X 10 GbE Network20”Record/Playback @ over4 GBytes/s with 4 fibersD-TA’s Sensor Interface Product (or 3 rd party product)4 X 10 GbE Networks(Fibers)DTA-1000-R(1U & 4 TB SSD Drives)[8 TB with SATA]Record/Playback @ over2 GBytes/s with 2 fibersStackable3U SolutionDTA-5000(3U & 9.6 TB SAS Drives)[32 TB with SATA]D-TA (or 3 rd party product)2 X 10 GbE NetworksLeveraging our 10 GSP concept, we have developeda generic record / playback configuration that measuresup to your requirements. Radio, radar, sonar, acoustic —whatever your application, we likely have an end-to-endsolution from signal acquisition to record & playback.2 X DTA-5000(6U & 19.2 TB SAS Drives)[64 TB with SATA]We are delivering recording solutions thatsustain over 8 GBytes/s using 8 fibers and4 DTA-5000 units.For more information, click theRecording at Record Breaking Speedbutton on our home page atwww.d-ta.comA Sensor Interface and Processing Companysensor processors that drastically reduce deployment time and cost

FIELD INTELLIGENCERouting data at the tactical edgeBy Charlotte AdamsAs military networks reach out to individual soldiers and theirvehicles at the tactical edge, the promise for intelligence andcommand and control is great, but so are the risks unlesssecurity is built in from the ground up.Despite the specter of budget cuts and program cancellations,the U.S. military continues to stress high-speed, high-bandwidth,agile, and secure communications. The first strategy-basedequipment imperative listed in the Army Modernization Plan2012 is “network the force.” Of the handful of mission-criticalsystems identified in that document, four focus on communicationsor information superiority.U.S. forces envision bandwidth-hungry transactions such asHD video feeds in the tactical space. Programs and conceptshave emerged to support such aims, including the proliferationof high-speed communications and processing nodes onthe battlefield. This expansion of tactical connectivity, however,is based on IP, a core component in commercial-enterprisearchitectures but a magnet for attacks.IP visionThe first “critical” program listed in the Army Modernization Plan2012 is the Joint Tactical Radio System. This family of Software-Defined Radios will provide tactical end-to-end IP data andvoice communications. These include the Warfighter InformationNetwork-Tactical, an IP-based broadband backbone; the GroundCombat Vehicle, which will exploit networking advances;the Army’s portion of the Distributed Common Ground/SurfaceSystem for intelligence information access; and the Joint BattleCommand-Platforms effort that involves integration of computerhardware and software and networking capability into tacticalvehicles, aircraft, and dismounted forces.High-bandwidth tactical communications would be a forcemultiplier, improving coordination in the field. Multiple tanksor armored vehicles, for example, each equipped with a routerto connect the nodes, could set up a mesh network for datasharing. Some of the vehicles might also be equipped with powerfulcellular and satellite links to communicate with dismountedsoldiers or over longer distances. The vehicles could also serveas processing nodes for dismounted soldier applications.The tactical “cloud” computing environment described inthe preceding example could support applications such asfacial recognition. Soldiers could transmit photos of personsvia smartphones to determine whether those persons shouldbe detained. Tactical cloud resources could be distributedbetween forward bases and mobile assets. Current conceptsenvision routers and processors embedded in ground vehicles,drones, airplanes, ships, and satellites.Figure 1 | RTR8GE rugged,intelligent IP router fromGE Intelligent Platforms ›ChallengesDeployment won’t be easy. The common attacks that bedevilthe commercial IP world – where bandwidth is high and reliable,links are fixed, and processing and storage resources aregenerous and stationary – are more likely and dangerous ina hostile environment where bandwidth is uncertain, assetsmobile, and resources limited. Moreover, IP was built for openness.Hackers cut their teeth on Internet Denial of Service(DoS), spoofing, and malware attacks.Many security measures are already in place, using physicaland procedural protection, encryption, authentication, andother techniques. However, new attacks are invented everyday. Government-sponsored or subsidized attacks wouldalso be likely in a hostile environment. That is why routers –the heart of the network – are adding firewall and intrusiondetection hardware and software, building in security at theground floor. An example of these emerging products is theGE Intelligent Platforms RTR8GE, a small, rugged, intelligentIP router with tunable security, using the COTS-hardenedJunos OS (Figure 1).Technology dividendsRouters are more intelligent than switches. They can detecterrors, retransmit packets, and change data paths, dependingon the circumstances. But modern secure routers can do muchmore. Using hardware-based Deep Packet Inspection (DPI),these devices can scan packets from the physical to the applicationlayer, for example, flagging a word in an email message.Whereas software-based DPI struggles to keep up with theline rate, hardware-based DPI can monitor data flows withoutinducing crippling delays.Emerging technologies, such as Radio Aware Routing (RAR)protocols, allow the router to monitor link status and reliability.The router will be able to choose the best link – satellite,cellular, or traditional ground radio – and the best path to thedestination. As the quantity and variety of wired nodes grow,network bandwidth and reliability are enhanced. The RAR andsimilar protocols will help enable the goal of secure mobile adhoc networking, allowing fast, networked communications.For more information, contact Charlotte atcburtonadams@yahoo.com.10 March 2012 MILITARY EMBEDDED SYSTEMS

MIL TECH INSIDERCertifiable avionics takes off as UAV fleetoperates in commercial airspaceBy Curtis ReichenfeldThe new U.S. Defense budget significantlyincreases deployment ofUnmanned Aerial Vehicles (UAVs).Under the new budget, the UAV sectoris soon expected to approach one-thirdof all military aircraft platforms. Withexpanded missions, UAVs will morefrequently operate in the U.S. nationalairspace and the airspace of other countries,alongside commercial and privateaircraft. UAVs currently fly in restrictedairspace during take-off and landing andquickly ascend to altitudes high abovecommercial air traffic. Operation ofUAVs in commercial airspace will requirethe use of safety-certified software inembedded avionics systems.Electronics suppliers need to providesoftware artifacts and certificationevidence to enable their customers’ platformsto successfully achieve DO-178B(for software) and DO-254 (for firmware)certification. DO-178B defines guidelinesfor developing software for airbornesystems and equipment. DO-254 appliesthe same basic design assurance principlesto develop safety-critical firmwarewritten for complex devices used in thesubsystem, such as FPGAs and programmablelogic devices.While some military avionics vendorsare frequently required to show adherenceto DO-178B, they may notnecessarily be certified by the FederalAviation Administration (FAA) or EuropeanAviation Safety Agency (EASA).Nevertheless, many military systemsintegrators are using DO-178B (and soonDO-178C) design assurance guidelinesas a replacement for obsolete militarydesign standards.UAV safety certificationrequirements emergeThe FAA is currently working to definespecific safety certification rules for thedeployment of UAVs in the NationalAirspace System (NAS). Critical capabilitiessuch as “Sense-and-Avoid” and “dueregard” are needed to ensurethe safe operation of autonomousand remotely piloted vehiclesthat can encounter commercialand private aircraft. The industry isalready seeing requirements in UAVelectronic systems for DO-178B andDO-254. Development of softwareand hardware that can successfully becertified at the platform level requiresthe collection of all development artifacts,including plans, requirements,design, integration, test, verification,and validation of those products.Industry response:Certifiable OSs and BSPsSafety-critical systems require certificationartifacts at the Operating System(OS) and Board Support Package (BSP)levels. Safety-certifiable OSs such asGreen Hills’ INTEGRITY, Wind River’sVxWorks 653, Linux, and Express Logic’sThreadX demand a rigorous developmentprocess. These specializedcertifiable OSs can be costly, with theprice of some certification packagesranging from $300,000 to $500,000.Also BSPs for use in UAVs must havethe same level of certifiable artifactsas the safety-certifiable OS. Electronicsvendors have to ensure that the softwaredevelopment processes for thesafety-certifiable OSs and BSPs generateall of these artifacts. Certificationartifacts for safety-critical applicationssuch as flight control and missionsoftware are provided to the platformprovider and reviewed by the certificationauthorities.An example of a DO-178B and DO-254certifiable electronic subsystem isCurtiss-Wright Controls Defense Solutions’Versatile Flight Control Computer(VFCC), a high-performance embeddedprocessing system optimized for Size,Weight, Power, and Cost (SWaP-C)(Figure 1). This rugged subsystem featuresdual 600 MHz ARM Cortex-A8processors, dual TMS320C64x+ DSPs,›Figure 1 | The VFCC fromCurtiss-Wright Controls DefenseSolutionsand three Xilinx FPGAs, developedunder IRAD. It is the first applicationin an AgustaWestland program for usein commercial and military versions ofits Rotorcraft Technology ValidationProgramme (RTVP) helicopter.Certified development forcritical softwareCritical software requirements flowdown to system providers from primecontractors, who in turn receive theirrequirements from government agencies.It is critical for electronics providersto have a rigorous development processin place to meet these needs. In additionto DO-178B, prime contractors areseeking vendors who have a CapabilityMaturity Model Integration (CMMI)Level 3 appraisal as a minimum. TheCMMI rating system is overseen by theSoftware Engineering Institute (SEI), afederally funded research and developmentcenter sponsored by the DoD.Prime contractors are typically neededto meet higher levels, CMMI 4 and 5,which in turn is driving demand for electronicsproviders who can support thesedevelopment processes with a Level 3rating. As unmanned vehicles increaseoperations in commercial aerospace,the need for rigorous developmentprocesses to the level of commercialaircraft is critical to the safety of thegeneral public.To learn more, e-mail Curtis atcreichenfeld@curtisswright.com.MILITARY EMBEDDED SYSTEMS March 2012 11

DEFENSE TECH WIREmil-embedded.com/magazine/wireBy Sharon Hess, Managing EditorNEWS | TRENDS | DoD SPENDSBoeing delivers upgraded V-22 to USMCIs it a helicopter or a fixed-wing aircraft? Certainly the V-22 Ospreyhas capabilities of both, and was at the center of a recent productdelivery (Figure 1): The USMC has received the first V-22 Ospreywith Block C upgrades courtesy of The Boeing Company andBell Helicopter. The upgrades comprise expanded ElectronicWarfare system capacity, a new weather radar system, greatersituational awareness via improved cabin and cockpit displays,and even an upgraded Environmental Conditioning System toprovide increased comfort for soldiers and aircrew. Dubbeda “tiltrotor,” the V-22 Osprey can hover, land, and take offvertically similar to a helicopter, and when in the skies, it cantransition into a turboprop airplane that delivers high-altitude,high-speed flight.L-3 gets kudos from AAAA, acquiresnew businessThe Army Aviation Association of America (AAAA) held anawards banquet last month, and one of its honorees wasL-3 Communications’ L-3 Army Fleet Support (L3-AFS) unit.L3-AFS was given the 2011 Army Aviation Materiel ReadinessAward for a Contribution by a Major Contractor, for performancerendered Nov. 1, 2010 through Oct. 31, 2011. The Army Aviationservice branch renders aircraft maintenance, supply chain management,and logistics support. In other L-3 news, the companyacquired Danaher Corporation’s Kollmorgen Electro-Opticalunit. The new unit will operate as “L3-KEO” and cost L-3 about$210 million. The new division manufactures and designs firecontrol systems for ships, periscopes and photonics systemsfor submarines, ground electro-optical systems, and visuallanding aids.Figure 1 | The Boeing Company and Bell Helicopter recently delivered the firstBlock C upgrade-equipped V-22 Osprey to the USMC. Photo courtesy of BoeingRaytheon offers free upgradeIs anything really free? Seems this one is, at least to endusers: Raytheon Company is giving away a free upgrade tothe Integrated Waveform (IW) software for AN/ARC-231 airborneradio terminals, touted to triple the terminals’ satellitecapacity. Having undergone Defense Information SystemsAgency (DISA) field testing, the Satellite Communication(SATCOM) software upgrade is provided for every U.S. ArmyAviation aircraft in addition to some USAF aircraft that alreadyhave AN/ARC-231 terminals. The impetus for the complimentaryupgrade is to help resolve in-theater radio communicationdelays. Additionally, the Ultra High Frequency (UHF) satellitesystem now in place will soon become obsolete, and the IWsoftware (and, therefore, its upgrade) can bridge the gapbetween UHF and its replacement – the Mobile User ObjectiveSystem (MUOS). Meanwhile, the IW software upgrade isslated to “provide an increase of several hundred networks forARC-231 SATCOM users,” the company reports.BAE to supply Iraqi Army with 400 M113sIn conjunction with the Anniston Army Depot (ANAD),BAE Systems will be sprucing up 440 M113A2 carriers forthe Iraqi Army, per a recent $31 million foreign military salescontract. Though just announced by BAE, the contract workof swapping damaged and old equipment wares for new componentsto restore mission capability is slated for fulfillmentthis April. Work will be completed at BAE’s Anniston, Alabamalocale, with ANAD lending a hand in the refurbishment.Under another contract, BAE is additionally slated to supplyANAD with materials for ANAD’s refurbishment of 586 moreIraq-bound M113A2s. Boasting 80,000 vehicles internationallyin 40 flavors, the M113 armored tracked vehicle carries a driverand 12 soldiers and is amphibious and rough-terrain/high-speedsavvy (Figure 2).Figure 2 | ANAD and BAE will team to spruce up 440 M113A2 carriers for theIraqi Army, per a $31 million foreign military sales contract. M113 photo by PFCBrandon E. Loveless, USMC12 March 2012 MILITARY EMBEDDED SYSTEMS

General Dynamics MUOS demo succeedsGeneral Dynamics has successfully demonstrated – via the JointTactical Radio System (JTRS) Handheld, Manpack, Small FormFit (HMS) radio dubbed the AN/PRC-155 (Figure 3) – that theMobile User Objective System (MUOS) SATCOM waveformcan indeed deliver secure data and voice communications. Thedemonstration featured the AN/PRC-155 loaded with MUOSwaveform software “to transmit encrypted voice through aMUOS-satellite simulator to the MUOS ground station equipmentthat will soon be deployed in Sicily,” the company reports.The MUOS system is slated to facilitate secure mobile, networkedcomms internationally, regardless of environment extremity.MUOS waveform completion is anticipated by the third quarterof this year, with MUOS capability fielded to soldiers by year’send on the AN/PRC-155.Figure 4 | The AFRL recently issued contracts to SRI International andObjectVideo, Inc., both to simplify intelligence extraction from surveillance videoand imagery. U.S. Air Force photo by Tech Sgt. Randy RedmanAFRL contract boosts imagery usefulnessSurveillance video/imagery is a wonderful thing – but only ifsomeone (or something) can derive some valuable military intelligencefrom it (Figure 4). Accordingly, the Air Force ResearchLaboratory/RKIF recently issued two contracts: One $12 millioncontract was awarded to SRI International for the design ofindexing and visual exploitation tools that can quickly “extractmission-relevant visual intelligence from large quantities ofdiverse, ill-defined, unstructured imagery captured from multipleadversary sources,” reports the DoD website. Meanwhile,the second contract was granted to ObjectVideo, Inc., whichwill develop an “analyst tool” by integrating pattern matchingand computer vision algorithms already incarnated. The tool willthen be used to gather pertinent information from imagery thatis unstructured and has no or little metadata. Both contracts areanticipated for completion in February 2016.Figure 3 | General Dynamics has demonstrated via the JTRS HMS radio thatthe Mobile User Objective System (MUOS) SATCOM system can deliver securevoice and data.Lockheed Martin vs. battlefield IEDsIEDs often plague the battlefield, and a recent DoD/LockheedMartin contract will help thwart such dangers. Specifically, theU.S. General Services Administration (GSA) Federal SystemsIntegration and Management Center (FEDSIM) awardedLockheed Martin a $900 million (maximum) Operations Support(OPS) Services IDIQ contract supporting the DoD’s DeputySecretary of Defense-directed Joint Improvised Explosive DeviceDefeat Organization (JIEDDO) initiative. JIEDDO’s mission is tooverturn enemy IED campaign strategies, and Lockheed Martinwill assist by providing JIEDDO’s analytical team with combatsupport, analysis, operations, and IT support – in the form ofreach-back or in-theater support. The contract – slated for twoyearfulfillment and piggybacked with a triad of one-year contractoptions – is one of five such JIEDDO support contracts.Northrop Grumman is right on targetAs part of a 2010 seven-year, $920 million IDIQ contract,Northrop Grumman recently received orders for a duo of followonLRIP versions of its LITENING SE advanced targeting pods, fora combined pricetag of $66 million. Having recently undergonea recent USAF flight test program aboard A-10C (Figure 5) andF-16 Block 40/50 aircraft, LITENING SE features the latest in datalink, laser imaging, and sensor technologies and comprises 1Kx1Kforward looking infrared, two-way multiband data link, enhancedzoom, short wave infrared sensors, and tracker improvement – alldesigned to provide improved target ID at longer ranges andreducing pilot workload at the same time.For consideration in Defense Tech Wire,submit your press releases athttp://submit.opensystemsmedia.com.Submission does not guarantee inclusion.Figure 5 | Northrop Grumman received a duo of follow-on orders for itsLITENING SE advanced targeting pods, which completed a USAF flight testprogram aboard A-10C (pictured) and F-16 Block 40/50 aircraft. U.S. Air Forcephoto by Senior Airman Willard E. Grande IIMILITARY EMBEDDED SYSTEMS March 2012 13

Special ReportEMBEDDED AVIONICS FORMILITARY AIRCRAFTNew aircraft platforms get cut back, opening the door foravionics retrofits that leverage COTS hardware and softwareBy John McHale, Editorial DirectorMilitary cockpits – from helicopters to cargo jets to fighter aircraft – will be depending on open architecturedesigns and Commercial Off-the-Shelf (COTS) hardware and software to keep them flying beyond the next decadeas DoD budgets scale back on new platforms. Meanwhile, industry and government experts formed a consortium toenable affordable, platform-agnostic avionics.The Black Hawk UH-60M cockpit uses Rockwell Collins avionics and synthetic vision technology in the right-hand inboard multifunction display.14 March 2012 MILITARY EMBEDDED SYSTEMS

Doing more with less is becoming themodern-day mantra of the U.S. Departmentof Defense (DoD) when it comesto funding military technology procurement.As DoD officials reduce spendingacross the services – especially whenit comes to big-ticket platforms likethe Joint Strike Fighter (JSF) – greateremphasis will be placed on maintainingcurrent airborne platforms for at leastanother decade or more.No longer will the DoD fund technologydevelopment from the ground up.Consequently, the industry is forced tobecome more cost effective in systemdesigns for avionics retrofits by leveragingcommon standards and Commercial Offthe-Shelf(COTS) technology that can beused on multiple platforms.The U.S. financial crisis is not gettingsettled any time soon, but the world’snot getting any safer either, and theU.S. military will need to maintainand improve its capability during thattime, says Mark Grovak, avionics businessdevelopment for Curtiss-WrightControls Defense Solutions. Newerplatforms such as the F-22 Raptor andJSF will continue to face delays andcutbacks, so the U.S. military will have toupdate the current aircraft fleet to supportcurrent and future missions, Grovakcontinues. This is good news for COTSsuppliers, he adds.Computing/HMI Serial I/OCOM Express:The Advantage of Custom. The Convenience of COTS.COM Express modules and Sealevel custom carrierboards provide the advantages of custom solutions withthe conveniences of COTS. Sealevel can include commonI/O features such as serial, analog and digital I/O, all ofwhich are designed to the exact electrical and mechanicalrequirements for your specific application.Sealevel COM Expressdesigns offer:> Scalability for easyupgrade> Application specificI/O> Flexible mechanicalconfiguration> Vibration resistance> Extended operatingtemperature> Long-term availability> Superior life cyclemanagementTake advantage of Sealevel’sengineering expertise and letus help create a custom designto fit your application.To see the design capabilities, reliability improvementsand design control advantages that a Sealevel COMExpress carrier board design will bring to your nextproduct, visit our Design Center to watch a short video atat sealevel.com/mes/com.“Retrofits and upgrades to currentprograms are a huge opportunity giventhe government’s resistance to fundnew programs, while asking the militaryservices to do more with their existingequipment,” says Mac Rothstein, ProductManager, Systems, GE IntelligentPlatforms in Charlottesville, VA.In a lot of avionics upgrades, “we usetoday COTS processors and many othercomponents,” says Dan Toy, PrincipalMarketing Manager at Rockwell Collinsin Cedar Rapids, IA. “We leverage whatis being developed throughout theelectronics industry. The telecommunicationsindustry has poured hugeamounts of money into the developmentsealevel.com > sales@sealevel.com > 864. 843. 4343Learn more about COM express custom solutions atsealevel.com/mes/com or scan this QR code with yoursmart phone.© 1986-2011, Sealevel Systems, Inc. All rights reserved.MILITARY EMBEDDED SYSTEMS March 2012 15

Trust a world-wide expertfor your embedded criticalnetwork applications.Special ReportFigure 1 | The IPS511from GE Intelligent Platformsgenerates 360-degree viewsfor improved situationalawareness.›SWITCHES& IP ROUTERSMore than 3O models... VME, cPCI, VPXComEth 4410a• Data/control Planes 3U VPX switch• Six 4-lanes ports (PCIe x4 Gen 1 & 2)• Up to ten Giga Ethernet PortsSBCsIntel ® & Freescale ® processorsIntel ® VME 6U• With ATI M96 GPU• offering DVI, VGA, Stanag B&C interfacesVirtex ® VPX 6Uwith FMC siteCommunicationPlatformsSynch/Async serial ports / LANpLinesEX• MPC8536 E• 8 sync/async serial ports• 3 Ethernet ports• One embedded L2/L3 switch with8 SFP moduleswww.interfaceconcept.com+33 (0)2 98 573 030of electronics that are applicable tomilitary avionics systems. We vary awayonly when we have a unique need thatcommercial markets cannot provide.”“Basically we build thousands of processorcards a year and we use COTSchip technology in a Rockwell Collinsprocessor design,” says Brett Tinkey,Program Manager, Rockwell CollinsAirborne Solutions. “That’s primarilyhow we leverage COTS; we buy COTSdevices such as Freescale chips and wedesign around the chipset.”A typical component Rockwell Collinsleverages is FPGAs, Tinkey says. “Oneof the best ways to effectively meetreduced size, weight, and powerrequirements is to leverage FPGAs,which enable you to reduce the footprintor size of a product.” In one upgrade,Rockwell Collins engineers were able toreduce the footprint for one processingfunction from three boards to one6U VME board by taking advantage ofhigh-performance commercial componentssuch as FPGAs, he continues.Reducing the footprint enables thesystem to grow and add capability forthe military customer, Tinkey adds.Moore’s Law shows that the trend towardsmaller designs with great capability willcontinue and is why a VME card todayversus one from five years ago “hasalmost twice the functionality and twicethe horsepower,” says Doug Patterson,Vice President of Business Developmentfor Aitech in Chatsworth, CA.Board-level COTS“At the board level, we evaluate the efficienciesof building the boards ourselvesversus buying completed boards from amanufacturer,” Toy says.“When we build units ourselves forprograms that are one-offs, we will gobuy and leverage COTS suppliers suchas Curtiss-Wright and GE IntelligentPlatforms,” Tinkey says. “Cycle time isan issue in this decision process as well,”as COTS suppliers with a good trackrecord can provide boards and cardsmore quickly than an integrator would.Design cycles are also trending shorterin the current DoD procurement climate.“The key in being a COTS supplier isthat you can get your customer at least80 percent of the way to their finaldesired solution with an off-the-shelfproduct,” Rothstein says. “In reality,the chances of having an off-the-shelfproduct that meets all of your customer’sI/O, environmental, and mechanicalrequirements is very high if you offerenough variations of a subsystem tocover most requirements. Customerscan use the off-the-shelf solution tobegin their software development whilewe work with them on the final 10 to20 percent of the modified system.”A rugged GE Intelligent Platformssystem used in avionics applications isthe IPS511, which generates 360-degreeviews for improved situational awareness(Figure 1). The subsystem can processmultiple simultaneous analog videoinputs for a variety of different videodisplay configurations for two simultaneousvideo outputs. For more information,visit http://defense.ge-ip.com/products/3613.Military avionics integrators “wanthigher levels of software and hardwareintegration and reductions in size,weight, power, and cost,” Pattersonsays. Regarding hardware and softwareintegration, the military customer basewants products that can come fromdifferent suppliers to be able to worktogether in their system, Pattersoncontinues. This integration is the burdenof the supplier, he adds.16 March 2012 MILITARY EMBEDDED SYSTEMS

Special ReportEMBEDDED AVIONICS FOR MILITARY AIRCRAFTCOTS pedigree is importantMilitary program managers don’tbelieve PowerPoint presentations anymore;they want to see real hardwareand know that the supplier has a pedigreeor past history of success in otherplatforms, says Curtis Reichenfeld, ChiefTechnical Officer of System Solutions forCurtiss-Wright Controls DefenseSolutions in Ashburn, VA. TechnicalReadiness Levels (TRLs) are drivinggovernment procurements, he continues.Products earn high TRLs fornew programs when they have beendemonstrated or designed into militaryprograms with similar requirements.Military aviation program managerswant to reduce risk on programs byhaving suppliers with a proven programpedigree or high TRL – in other words ahistory of successful avionics design-inson fielded platforms, Reichenfeld says.Military customers want suppliers thathave “history, heritage, and pedigree,”Patterson says. For example, imaginea program where a customer needsa new acoustic sensor for hostile firedetection on HMMWV [High MobilityMultipurpose Wheeled Vehicle], he continues.They would have to start fromthe ground up developing hardware; itwould be six months before they hada prototype and another six monthsto a year before they could ruggedizeit to stick in a vehicle to go throughhard testing – which is about when thesoftware team would start their developmentprocess, Patterson explains.If they leverage COTS hardware thatNAVAIR sponsors theFuture Airborne CapabilityEnvironment (FACE) alongwith Army PEO Aviation,Lockheed Martin, andRockwell Collins. For moreinformation on FACE,visit www3.opengroup.org/getinvolved/consortia/face.FACE consortium enables affordable, platform-agnostic avionicsFACE consortium enables affordable, platform-agnostic avionicsIndustry and government avionics experts have joined hands inan effort to effectively manage avionics design costs throughthe use of open standards and COTS technology. The effort is aconsortium called the Future Airborne Capability Environment(FACE), which is independently hosted by The Open Group.The FACE initiative was initiated by officials at the U.S. NavyNaval Air Systems command (NAVAIR) in Patuxent River, MD,says Dave Lounsbury, Chief Technical Officer with The OpenGroup in Natick, MA. NAVAIR had new avionics procurementscoming up and wanted to stretch taxpayer dollars a littlefarther by designing affordable avionics that could be used ondifferent aircraft platforms so they came “to talk to us at theOpen Group about putting together something with industrycollaboration.”NAVAIR sponsors FACE along with Army PEO Aviation,Lockheed Martin, and Rockwell Collins.The Open Group helps provide infrastructure and guidanceon the collaboration, Lounsbury says. “The FACE membersbring the energy and the answers, and we make sure that it’sall open and neutral.” The Air Force is involved, but is notyet a member directly, Lounsbury says. However, “We havepeople who work with the Army and Navy, who work with theAir Force and do participate in the meetings.”FACE will bring together peers in industry and government toselect the correct standards that focus on openness, safety,integrity, and security, says Dan Toy, Principal Marketing›SidebarManager at Rockwell Collins in Cedar Rapids, IA. It is aboutcreating an open computing environment that enablesavionics software applications to move from one platform toanother in an affordable way, he adds. Rockwell Collins wasone of the original sponsors of FACE, Toy says. “NAVAIRcontacted us to discuss how to go about the FACE conceptand turn it into an industry consortium.”“We’ve just released the FACE standard,” Lounsbury says.“We went from forming the consortium to releasing the FACE1.0 specification in 18 months. That’s pretty quick. We try toattack it from all dimensions, but ultimately it is about makingstandards work. We think that the standards technology laysthe basis for interoperability and affordability.”One of the main objectives of FACE is to have a library ofavionics hardware and software technology for avionicssuppliers (such as Curtiss-Wright Controls Defense Solutionsand Green Hills Software) to register to show they are FACEcompliant, Lounsbury continues.Curtiss-Wright has been involved with FACE for more than ayear, says Mark Grovak, avionics business development forCurtiss-Wright Controls Defense Solutions in Ashburn, VA.“Our ability to support the FACE environment is one morereason why we can get access to a lot of platforms andsupport multiple applications.”For more information on FACE, visit www3.opengroup.org/getinvolved/consortia/face.1 | The Future Airborne Capability Environment (FACE) consortium, hosted by The Open Group, comprises industry and governmentavionics experts working to manage avionics design costs through open standards and COTS technology.18 March 2012 MILITARY EMBEDDED SYSTEMS

MIL-STDis the only thing standardabout our power supplies.Any questions?Proudly madein the USA.Designed to meet the mostdemanding power supply needs... yours.• Discrete component design facilitates rapid utilization of latest technologies• Intelligent monitoring, control and communication• Fully integrated EMI Filtering• Key standards include:- MIL-STD-810 - MIL-STD-1399- MIL-STD-461 - MIL-STD-1275- MIL-STD-704 - MIL-STD-901• Designed with Component Derating per NAVMAT guidelines• Supported platforms include VME, cPCI and VPXIntelligent COTS Solutions... for today’s rugged systems.Visit www.naii.com or call us at 631-567-1100 today.Embedded Boards | Power Supplies | InstrumentsExcellence in ALL we do631-567-1100 • Fax: 631-567-1823 • www.naii.com

Special ReportEMBEDDED AVIONICS FOR MILITARY AIRCRAFTThe Black Hawk UH-60M’s cockpit uses COTS avionics components from Rockwell Collins.is already qualified, the software teamcould get up and started immediately,shaving cost and development time,he says.Aitech’s rugged COTS avionics offeringsinclude the M595 PMC and M597 XMCcards (Figure 2). Both use the advancedAMD/ATI E4690 Graphics ProcessingUnit (GPU) operating at 600 MHz with a512 MB on-chip GDDR3 SDRAM framebuffer. The E4690 works with an integrated,onboard FPGA to support additionalvideo output formats, overlay,underlay, and keying features. For moreinformation, visit www.rugged.com.Managing the avionics componentlife cycleCOTS avionics components and systemscut the design cycle and are moreaffordable but must be closely managedto effectively refresh designs and dealwith obsolescence in military platformsthat last for decades.Special Operations HC/MC-130JSpecial Operations HC/MC-130J upgrading with COTS network storage solution from Curtiss-WrightLockheed Martin Aeronautics engineers in Marietta, GA,upgraded the storage capability for the avionics and missionsystems on the U.S. Air Force Air Combat Command’sHC/MC-130J Super Hercules with the Vortex CompactNetwork Storage (CNS) subsystem from Curtiss-WrightControls Defense Solutions in Ashburn, VA. The storagesystem will be used in the Network File Server (NFS) for theaircraft (Sidebar Figure 1).Vortex is a rugged, conduction-cooled NFS device thatenables data sharing over the HC/MC-130J’s internal network.Data is stored securely on solid-state memory and encryptedwith the AES-256 algorithm, according to a Curtiss-Wrightpublic release.The HC/MC-130J’s data recording requirement called for datato be recorded in nonvolatile memory for running analysisand debriefing functions, says Tom Bowman, Senior ProductManager, Curtiss-Wright Controls Defense Solutions. Theycan record a very high degree of fidelity – the entire mission as›SidebarSidebar Figure 1 | The Vortex Compact Network Storage (CNS)subsystem from Curtiss-Wright Controls Defense Solutions is flying› on the HC/MC-130J Super Hercules.well as when they bring out the mission plan, he continues. “Itcan include graphics and many other digital forms of informationthat you couldn’t put on a PMCIA card in the past.”2 | Lockheed Martin Aeronautics upgraded the storage capability for the avionics and mission systems on the USAF’s HC/MC-130JSuper Hercules with the Vortex Compact Network Storage (CNS).20 March 2012 MILITARY EMBEDDED SYSTEMS

›Figure2 | Aitech’s rugged M595PMC and M597 XMC cards are used inavionics applications.Rockwell Collins engineers have beenleveraging common COTS processors,boards, and other components acrossArmy Aviation platforms for morethan 15 years through their CommonAvionics Architecture System (CAAS),Toy says. CAAS was originally created torefresh variants of the Army’s MH-47GChinook and MH-60L/M Black HawkSpecial Forces helicopters, Toy says.CAAS systems are based on an openarchitecture approach that leveragesadopted industry standards acrossmultiple helicopter platforms, which cutsdown technology insertion costs as wellas capability retrofits.CAAS is still going very well for ArmySpecial Operations programs, Toy says.“All of the avionics systems are performingvery well and we are beginningto field the second generation ofprocessors.” One of Rockwell Collins’most recent CAAS upgrades was on theMH-47F Chinook to keep that rotorcraftflying through 2030, he adds.Because of CAAS, Army Aviationprogram managers are able to providea large level of commonality across theirfleet of Special Operations helicopters,Toy says. For example, the UH-60MBlack Hawk has many of the sameavionics display components of theMH-47F Chinook, he adds.Using one set of cards or boards acrossmultiple platforms “allows us to benefitfrom economies of scale to managethose common designs,” Toy continues.“We frequently take our approach todevelop synergies between variousofferings.”Obsolescence can be managedEliminating development costs is notthe only reason military customers workwith traditional COTS suppliers, Grovaksays. Another is that they also wantto reduce the total ownership cost ofthe product. Military systems will needto operate effectively for many yearsin the field, and the customer needsa strong logistic support plan so theydon’t have components go obsoletethat cannot be supported anymore,Grovak says.The most important thing when managingobsolescence is to pick the rightcomponents, Tinkey says. “We’re buyinga lot of the same parts from our vendors,which will help extend the longevity ofour products through a common set ofparts in all Rockwell Collins products.The other thing you do is work closelywith vendors from the beginning on alife-cycle management plan. It helpsthat many of the successful suppliersalready have product longevity plansin place.” MESMILITARY EMBEDDED SYSTEMS March 2012 21

Mil Tech TrendsTRANSITIONING FROMDO-178B TO DO-178CDO-178C bringsmodern technologyto safety-criticalsoftware developmentBy Tim King and Bill StClairAvionics software technology hasimproved by leaps and boundssince DO-178B was introduced in1992. DO-178C will bring safetycriticalsoftware development intothe modern era, adding support foradvanced techniques such as UMLand mathematical modeling, objectorientedprogramming, and formalmethods. The ready availability ofthird-party tools, platforms, and certificationservices will hasten the adoptionand deployment of DO-178C.U.S. Air Force photo by Staff Sgt. Austin M. MayAs software becomes more complex, itbecomes hard to manage the design ofthat software at the code level. Objectoriented programming (C++, Ada, andJava) and modeling (UML, mathematical,and so on) simplify the development ofcomplex software by enabling designersto conceptualize, architect, and encapsulatetheir design at a higher level.Formal methods, which are related tomodel based development, make iteasier to assess correctness of complexsoftware functions like control loops.DO-178C inherits the DO-178B coredocument, principles, and processes,while adding support for high-levelmodeling, object oriented programming,and formal methods, with anemphasis on two-way traceability frommodel to executable code and back(Sidebar 1). DO-178C also providesa tools supplement for addressing indetail the qualification and capabilities of the tools used for not only modeling,object-oriented programming, and formal methods, but also for other developmenttechnologies such as procedural software and assembly-level programming.The DO-178C supplementsThe DO-178C working group has produced three development technology supplements:Object Oriented Technology and Related Techniques (OOT & RT), ModelBased Development and Verification, and Formal Methods. It also greatly expandedthe tool qualification guidance present in DO-178B. These four supplements havebeen published by the RTCA as:››DO-330, Software Tool Qualification Considerations››DO-331, Model-Based Development and Verification Supplement to DO-178Cand DO-278A››DO-332, Object-Oriented Technology and Related Techniques Supplement toDO-178C and DO-278A››DO-333, Formal Methods Supplement to DO-178C and DO-278ANote that DO-278A is the ground system equivalent of DO-178C.Object Oriented Technology and Related TechniquesThe Object Oriented Technology and Related Techniques (OOT & RT) is a comprehensivesafety-critical software guide for hand code development and verification. It22 March 2012 MILITARY EMBEDDED SYSTEMS

encompasses not only object oriented software development, but also techniquesthat are used in procedural languages. These related techniques include such thingsas dynamic memory management, overloading, parametric polymorphism (such astemplates in C++ and generics in Ada) type conversions, and virtualization. The netresult is that the OOT & RT supplement could be invoked on most projects utilizingprocedural languages as well as OOT.The most significant addition to the OOT & RT is the definition of new objectives.Objectives identify which development assets, integrated processes, and verificationartifacts must be produced for a product to be certifiable. The OOT & RT defines twonew verification objectives: The first verifies local type consistency, which enablessubclass methods to safely override parent class methods. The second verifies thatthe use of the dynamic memory management system is robust. In particular, it verifiesthe following characteristics of the dynamic memory management system: referenceambiguity, fragmentation starvation, deallocation starvation, memory exhaustion,premature deallocation, lost updates and stale references, and unbound allocationor deallocation time.Model Based Development and Verification (MBD&V)The biggest and most contentious challenge in reviewing and approving the MBD&Vsupplement was determining the final verification method used on the ExecutableObject Code (EOC) compiled, linked, and loaded on the target system. In the contextof the MBD&V systems under consideration, the EOC is directly traceable to thesource code automatically generated by the model. Historically, there has been aprecedent set in the verification of some avionics software that was tested both by andin the model itself without doing target testing on the EOC, effectively obviating theobjectives for EOC testing in the DO-178C “core document.” Instead, the DO-178Cplenary agreed that a form of independent verification must be performed on theEOC on the target system, thereby preserving the EOC objectives of DO-178C.Notwithstanding the consensus reached with respect to EOC verification, the MBD&Vsupplement did add many objectives that provide certification credit for verificationactivities performed by the model, or at least defined by the model, on the modelarchitecture and model code. These verification activities are primarily performed by“simulation cases,” which are run in lieu of test cases and other forms of verification.Probably the most definitive of the FAQs added to any of the DO-178C tech supplementswere those added to the MBD&V supplement. The scope of the new FAQsspans development and verification, including not only standard high- and low-levelsoftware requirements and the associated specification and design models, but alsothe system requirements allocated to software. Historically, the gaps between thesemodel types and requirements hierarchies and their various provenances have been aleading cause of ambiguity and poorly realized designs in MBD&V projects.Formal methods supplementThe Formal Methods supplement follows a similar trajectory to that of MBD&V inthat it also eventually agrees to preserve the EOC objectives of the core documentby stipulating independent verification for the EOC ultimately produced by formalmethods or mathematical proofs. A key question that has not been definitivelyaddressed by either the Formal Methods or MBD&V supplements is the obvious domainoverlap that can occur between these supplements. That is, Formal Methods (FM)as a development and verification technology utilizes a form of model based developmentitself. This and other potential domain overlaps will be addressed by the FAA incirculars, which will be published this year.Enhanced verification technologyThe incorporation of advancedmodeling and object oriented programmingtechniques places newdemands on verification. The systemmust be verifiable and traceable atthe model level, and verification evidenceat the model level must beavailable to the broader verificationand traceability framework.In DO-178B, traceability is one-wayand top-down, from the requirementsto the target code, and provides nosupport for high-level modelingor object oriented programming.DO-178C introduces a distributedand collaborative two-way traceabilitymechanism that enables designers totrace from their models and requirementsdown to each line of code, andback from the code to the requirementsand model, including all intercedingwork products and test cases.DO-178C defines traceability requirementsfor all of the safety integritylevels, from Level D to Level A. AtLevel D, where no coverage analysisis required, designers need only beable to trace to the high-level requirements.At levels A, B, and C, wherecoverage analysis is introduced,designers must be able to trace allthe way from the high- and low-levelrequirements to source code andback to low- and high-level requirements.Level A adds another level oftraceability, also found in DO-178B,which requires traceability fromthe source code to the executableobject code.Traceability also requires that theexecutable code be intact relative tothe source code. Many compilers, forexample, add branch points to theexecutable code that are not presentin the original source code. Thesebranch points must be identified andtested. Conversely, some optimizationscan remove constructs, data inparticular (especially static data).›Sidebar 1 | The incorporationof advanced modeling and objectoriented programming techniques inDO-178C places new demands onverification.Enhanced verification technologyMILITARY EMBEDDED SYSTEMS March 2012 23

Mil Tech TrendsTRANSITIONING FROM DO-178B TO DO-178CSoftware tool qualificationconsiderationsQualification of a tool is needed whenprocesses of DO-178C are eliminated,reduced, or automated by the use of asoftware tool without its output beingverified as specified in the standard. Thepurpose of the tool qualification processis to ensure that the tool providesconfidence at least equivalent to thatof the process(es) eliminated, reduced,or automated.SOFTWARELEVEL1 – Replacementof DO-178Bdevelopment toolCRITERIA2 – Expanded tooluse in new DO-178Cmethodologies3 – Replacementfor DO-178Bverification toolA TQL-1 TQL-4 TQL-5B TQL-2 TQL-4 TQL-5C TQL-3 TQL-5 TQL-5D TQL-4 TQL-5 TQL-5Table 1 | The Software Tool Qualification Considerations document introduces a new tool› qualification structure that consists of three criteria and five Tool Qualification Levels (TQLs).Right on TargetAIM-USAPioneers in AvionicsTesting since 1989!PC/104-Plus USB PMC/XMC ExpressCard PCI/PCIe cPCI/PXI VME VXIThe Software Tool Qualification Considerationsdocument introduces a new toolqualification structure that consists ofthree criteria and five Tool QualificationLevels (TQLs) as shown in Table 1.››Criteria 1’s applicable TQL is thereplacement for the developmenttool in DO-178B.››Criteria 2 is new for DO-178Cand is intended to address theexpansion of tool use in newmethodologies. Criteria 2 basicallyrequires an increased level of rigorover DO-178B criteria for tools usedon software level A and B in orderto increase the confidence in theuse of the tool.››Criteria 3, which consistsentirely of the level TQL-5, is thereplacement for the verificationtool in DO-178B.AIM Office Contacts:AIM-USA, LLC - Trevose, PATel: 267-982-2600email:salesusa@aim-online.comAIM UK - High WycombeTel: +44 1494 446844email:salesuk@aim-online.comAIM GmbH - FreiburgTel: +49 761 45 22 90email:sales@aim-online.comAIM GmbH - MünchenTel: +49 89 70 92 92 92email:salesgermany@aim-online.comAIM’s field proven, robust andmature product suite includesmodules, network analyzers &systems.HARDWARESOFTWARESYSTEMSSUPPORTTRAININGThe leading manufacturer of AvionicsTest & Simulation Products for allapplications.www.aim-online.comTo help safety-critical developers takefull advantage of DO-178’s advancedcapabilities, tools that automate andstreamline the development, verification,and certification process have becomeessential. For example, DO-178C,section 11 introduces Trace Data, whichit describes as reference links among lifecycledata items such as requirements,design, source code, and test cases.A key aspect of tools that automatelife-cycle data traceability is a facility forestablishing traceability forwards andbackwards, from requirements downthrough the decomposition tree, ontothe executable code and back again,including verification tasks.Automated tools greatly reduce the timeand cost associated with developing24 March 2012 MILITARY EMBEDDED SYSTEMS7652 USA Advert Art.indd 1 15/02/2012 09:33

DO-178-compliant software. DO-178certification, however, is still an expensive,time consuming, and arduousprocess. To help expedite this processfor avionics equipment makers, somecompanies, such as DDC-I, offer Eclipsebaseddevelopment tools and RTOSplatforms that have already undergoneDO-178B Level A certification, in additionto turnkey development and certificationservices for both DO-178B andDO-178C.DO-178C simplifiesavionics developmentDO-178C marks a big step forward fordevelopers of complex avionics softwarethat must be certified to the highestlevels of safety criticality. DO-178Csimplifies the development process byembracing formal methods, high-levelmodeling, and object oriented techniquesthat enable designers to conceptualizeand encapsulate their softwareat a higher level. It also streamlines theverification and certification process byproviding two-way traceability that extends from the models and requirements to theexecutable code and back again. Together with automated tools, platforms, and certificationservices, DO-178C greatly clarifies the risk and potential means of reducing the costsassociated with developing, certifying, and deploying complex safety-criticalavionics software. MESTim King is the Technical Marketing Manager at DDC-I.He has more than 20 years of experience developing, certifying,and marketing commercial avionics software and RTOSs. Tim isa graduate of the University of Iowa and Arizona State University,where he earned Master’s degrees in Computer Science andBusiness Administration, respectively. He can be contactedat tking@ddci.com.DDC-I | 602-275-7172 | www.ddci.comBill StClair is currently Director, US Operations forLDRA Technology in San Bruno, California and has more than25 years in embedded software development and management.He has worked in the avionics, defense, space, communications,industrial controls, and commercial industries as a developer,verification engineer, manager, and company founder. He is aninventor of a patent-pending embedded requirements verificationsystem. He can be contacted at bstclair@ldra-usa.com.LDRA | 650-583-8880 | www.ldra.comCUSTOM COMPATIBLE RELIABLEHardware Solutions for Extreme ApplicationsDesigned for Rapid CustomizationDesigned & Manufactured in the USAISO 9001 Quality Management SystemOver 40 Million Field Hourswww.octagonsystems.com | 303-430-1500 | sales@octagonsystems.comMILITARY EMBEDDED SYSTEMS March 2012 25

Mil Tech TrendsTRANSITIONING FROMDO-178B TO DO-178CTrusting the tools:An agile approachto tool qualificationfor DO-178CBy Dr. Benjamin Brosgoland Greg GiccaThe new avionics softwaresafety standard DO-178C, alongwith its supplemental Software ToolQualification Considerations (DO-330),has clarified and expanded the toolqualification guidance provided inDO-178B. The challenge ofmaintaining qualification-ready toolsthroughout a system’s evolution canbe expedited through an approachbased on agile developmentprinciples.U.S. Air Force photo by Tech. Sgt. Mike TateishiIf a manual activity required for avionicssoftware certification is reducedor replaced by an automated tool, andthe output of that activity is used withoutbeing verified, then the developerneeds to qualify the tool: demonstratethat the tool is at least as trustworthyas the activity that it is replacing. Thenew avionics safety standard, DO-178C– together with its companion SoftwareTool Qualification Considerations,DO-330 – has clarified and expandedthe tool qualification guidance defined inDO-178B. The following discussion summarizesthe new guidance and describesan agile approach to maintainingqualification-ready tools in the presenceof system maintenance and changes.Tool qualification in DO-178BDO-178B[1], a commercial avionicssoftware safety standard that is findingincreasing usage in military aircraftdevelopment, is often referred to as“process based”: It specifies an interrelatedcollection of software life-cycleprocesses, each comprising a set ofactivities and associated objectives. Theactivities produce outputs (“artifacts”)that are evaluated by certificationauthority personnel to see if theycomply with the objectives specifiedin DO-178B. The applicable objectives(and thus the applicable activities andartifacts) depend on the Software Level:the criticality of the software in ensuringaircraft and occupant safety. The levelsrange from E (no effect) to A (softwarefailure can directly lead to loss of aircraftand, therefore, lives).Some DO-178B activities are automatable,and the standard describes how atool can be trusted to replace or reducea manual activity if the tool’s output isused without being verified. It definestwo categories: development toolsand verification tools. A developmenttool generates output that is part ofthe airborne software and thus hasthe potential to introduce errors. Anexample is a code generator that producessource code from a model-baseddesign. A verification tool cannot introduceany errors but may fail to detect26 March 2012 MILITARY EMBEDDED SYSTEMS

errors, for example, a static analysis toolthat identifies variables that are readbefore being initialized.Tool qualification entails preparing,among other data items, the ToolOperational Requirements (TOR). TheTOR defines various properties of thetool including its features, installation,usage, and operational environment.A development tool needs to be qualifiedif, and only if, the software generatedby the tool will not be subjectedto the same applicable certificationobjectives as the other airborne software.Development tool qualificationentails meeting the same objectivesas for the certification of the airbornesoftware. (Although compilers andlinkers are development tools, qualificationis not required since their output isverified through other DO-178B activities.Indeed, qualification would beexpensive and would not simplify theeffort in meeting other objectives suchas traceability analysis.)Qualifying a verification tool is considerablysimpler than qualifying adevelopment tool, in part becauseDO-178B’s philosophy is to encouragethe use of such tools to automate activitiesinvolving repetitive and rule-basedtasks, which are better performedby automated tools than by humans.“The distinctionbetween a verification tooland a development tool isnot always straightforward.Moreover, a verificationtool might not simplyautomate a specific activity;its output may also beused to eliminate or reducesome other activity.”Qualifying a verification tool basicallyconsists in demonstrating that the toolcomplies with its TOR.Tool qualification in DO-178CTool qualification has been an importantpart of DO-178B certification, but severalissues have arisen in practice:››The distinction between averification tool and a developmenttool is not always straightforward.Moreover, a verification tool mightnot simply automate a specificactivity; its output may also beused to eliminate or reduce someother activity.››Requiring a development toolto meet the same objectives as theairborne software is unnecessarilyrestrictive, since the operationalenvironments are different. Forexample, an unbounded recursionin the avionics software couldexhaust stack storage and lead toa system failure; the same behaviorin a development tool would notpresent a safety hazard.››Although tool qualification isintrinsically in the context ofa specific system, it would bebeneficial if the qualificationrequirements expedited reuseof qualified tools on a modifiedversion of an existing system.All of these issues are addressed ineither DO-178C[2] or its accompanyingsupplement DO-330, Software ToolQualification Considerations[3].MILITARY EMBEDDED SYSTEMS March 2012 27

Mil Tech Trends››The terms “development tool”and “verification tool” have beenreplaced by three criteria. Criterion 1corresponds to a development tool(that is, the tool could insert an errorinto airborne software). Criterion 2corresponds to a verificationtool that could fail to detect anerror and is used to reduce otherdevelopment or verificationactivities. Criterion 3 correspondsto a verification tool that could failto detect an error but is not usedto reduce other development orverification activities.››The required qualification for atool – its Tool Qualification Level(TQL) – depends on its Criterionand on the Software Level of thesoftware that the tool is used for, asshown in Table 1. The TQL rangesfrom 5 (comparable to a DO-178Bverification tool) to 1 (similar toSoftware Level A). The activities anddata items associated with each TQLare defined in a separate document,DO-330, with the same structureas DO-178C. DO-330 providescomprehensive guidance for toolqualification and recognizes thedifferences between the executionenvironments for the airbornesoftware and the tool.››DO-330 explicitly covers theusage of previously qualified tools.In brief, the reuse of a previouslyqualified tool is allowed as long asthe developer can demonstrate,through a change impact analysis,that the tool still complies withits TQL requirements despiteany changes in the operationalenvironment or to the tool itself.Reuse of previously qualified toolsThe ability to reuse, or easily adapt, thequalification artifacts for a previouslyqualified tool is especially important.DO-178B provided no explicit guidancehere. Tool qualification that was performedfor one system would need tobe repeated for any new system or ifany aspect of the tool or environmentchanged. As a result, a project managerwould commonly choose the operationalenvironment and tools at an early stage,and then commit to these versions soTable 1 | The required› qualification for a tool– its Tool QualificationLevel (TQL) – dependson its Criterion and onthe Software Level ofthe software for whichthe tool is used.that the tool qualification artifacts couldbe used during final system certification.This is sometimes referred to as the “bigfreeze,” where the environment andtools are locked in early.DO-330 addresses these issues. Specificguidance for previously qualified toolsallows reuse of the qualification artifactsas long as nothing has changed thatwould affect qualification. It considersthree scenarios:››Reuse of a previously qualifiedtool without change – An exampleis when a tool is used for relatedprojects or on multiple phases ofan existing project. The developerneeds to identify the approachand rationale in the plans.››Changes to the tool operationalenvironment – The developerneeds to update one or moreof the plans, but the bulk of theoriginal qualification artifacts maybe reused as is. Only the updatedartifacts related to the operationalenvironment need to be reviewedby the certification authority.››Changes to the tool itself –A change impact analysis has tobe provided, but tool requalificationstill has a reduced cost, essentiallyonly requiring activities associatedwith aspects that have changed orare affected by the change. The keyis to be able to exactly determineand specify what has changed andwhat these changes impact, orperhaps more importantly, whatthey do not impact.Agile requalificationBased on the tool qualification guidance– either from DO-178B or from DO-178Cand DO-330 – it is possible to define aTRANSITIONING FROM DO-178B TO DO-178CTool Qualification Level DeterminationSoftwareLevelCriterion1 2 3A TQL-1 TQL-4 TQL-5B TQL-2 TQL-4 TQL-5C TQL-3 TQL-5 TQL-5D TQL-4 TQL-5 TQL-5framework for tracking the changes toa tool or its operational environmentand for automatically initiating the toolqualification activities triggered bythe changes.For example, a tool can be initiallydeveloped and qualified based on theobjectives defined in DO-178C andDO-330. The full tool developmentlife-cycle processes and their associatedqualification artifacts can be capturedand maintained in a ConfigurationManagement (CM) system, including alldependence relationships (see Figure 1).The core CM system allows basic regenerationof all qualification data andartifacts needed to reproduce a toolqualification. The full structure allowsimpact and change analysis. In this wayany change to the tool’s operationalenvironment or to the tool itself can betracked. Most importantly, the structurewill clearly show which parts of the tooland its artifacts are not affected andthus can remain unchanged and retaintheir previous review and qualificationreadiness.Transitioning to the newqualification guidanceDO-178B is effectively a subset ofDO-178C. Thus, a project can continuewith the development and certificationplans established for DO-178B whilemigrating chosen portions to DO-178C,for example, to exploit the tool qualificationobjectives in DO-330. Therefore,both existing DO-178B projects and newDO-178C projects can take advantageof DO-330’s cost-effective guidance ontool qualification and requalification.The AdaCore Qualifying Machineframework[4], an in-progress implementationof the agile technique described28 March 2012 MILITARY EMBEDDED SYSTEMS

Anz_LiPPERT_PC104_AMD_OpenSystemsPublishing_54x254_120217_mit_Lemt_17.02.2012 14:37:11 UhrArtifactsToolPC/104-Pluswith AMD Fusion!RequirementsPSACTQP…Source CodeDesignSource CodeTest CasesAMD‘s integrated graphics unitin the Fusion processors makethe AF-Cool FrontRunner theideal single board computer forapplications in the fields• Medical electronics• Digital signage• Transportation• Traffic controlTest ResultsFigure 1 | The full tool development life-cycle processes and their associatedqualification artifacts can be captured and maintained in a Configuration Management (CM)› system, including all dependence relationships.in the previous section, supports this approach. It can help projects avoid the “bigfreeze,” so that tools and development environments can evolve smoothly. Tools maybe upgraded to newer versions as updates become available, without the risk of losingthe tool qualification required for system certification. MESReferences:[1] RTCA SC-167/EUROCAE WG-12. RTCA/DO-178B – Software Considerations inAirborne Systems and Equipment Certification, December 1992.[2] RTCA/DO-178C – Software Considerations in Airborne Systems and EquipmentCertification; publication expected in 2012.[3] RTCA/DO-330 – Software Tool Qualification Considerations; publication expected in 2012.[4] www.open-do.org/projects/qualifying-machineDr. Benjamin Brosgol is a senior member of the technicalstaff at AdaCore. He has more than 30 years of experiencein the software industry, concentrating on languages andtechnologies for high-integrity systems. He has presented papersand tutorials on safety and security certification at numerousconferences and has published articles on this subject in a varietyof technical journals. He holds a Ph.D. in Applied Mathematicsfrom Harvard University. He can be contacted at brosgol@adacore.com.Greg Gicca is Director of Safety and Security Product Marketingat AdaCore. He has more than 20 years of experience in designingand implementing software development tools and has participatedin industry and government groups responsible for definingsoftware quality evaluation standards. He has concentrated onthe safety and security arena for embedded systems, with aparticular focus on the DO-178B safety standard and the MultipleIndependent Levels of Security (MILS) architecture. He can be contacted atgicca@adacore.com.Up to 4 GB of RAM, low powerconsumption, single- or dualcoreprocessors, and passivecooling allow fordemandingmobile applications.Interfaces:• LVDS, DisplayPort• Audio• Ethernet, USB, Serial• SATA, CFAST• and much moreIntegrated condition monitoringusing LEMT!Our condition monitoring forembedded PCs. View currentand historical data, as well asdevice information.For more information:www.lippertembedded.com/cfr-af.htmlLiPPERT Embedded Computers, Inc.2220 Northmont Parkway Suite 250Duluth, GA 30096Phone +1 (770) 295 0031Toll Free +1 (866) 587 8681Fax +1 (678) 417 6263ussales@lippertembedded.comwww.lippertembedded.comAdaCore212-620-7300 | www.adacore.comin www.linkedin.com/company/adacoret www.twitter.com/AdaCoreCompanyMILITARY EMBEDDED SYSTEMS March 2012 29

Industry SpotlightSOFTWARE ANALYSISOpen source clears up the militarystovepipe messInterview with Carl Houghton, Vice President, Strategic Initiatives &Advanced Technology at Intelligent Software SolutionsINTERVIEWEditor’s note: While the issue of military stovepipes continues on, Government Off-the-Shelf software providerIntelligent Software Solutions’ toolkit – already in use by several branches of the U.S. Armed Forces – is thwartingthe challenge by making it possible to link several disparate databases or data sources that would have otherwisenot been able to “talk” to each other. As Managing Editor Sharon Hess found out when she recently talked toCarl Houghton, Vice President, Strategic Initiatives & Advanced Technology at Intelligent Software Solutions, the“real-time” ability of the software to combine data fast and automatically notify operators of data changes greatlysimplifies the challenge for command and control operatives, as well as other government personnel. Meanwhile,the open source software company also does a thing or two with iOS and Android – and watches to see whichone will capture the market. Edited excerpts follow.Can you tell me more about yourcompany, Intelligent Software Solutions– what you do, where you’re located,what your focus is, and so on?HOUGHTON: Intelligent SoftwareSolutions is a software and public servicescompany founded about 15 yearsago and headquartered in ColoradoSprings. The company was startedby four software engineers who stillown the company. We’ve got closeto 700 employees today, with officesin Tampa, Florida; Rome, New York;Washington, D.C.; and Hampton,Virginia; and we just opened an officerecently in Boston. We’ve got fourmajor business units in the company:One focuses on Command and Controland Intelligence, Surveillance, andReconnaissance. We also have a NationalSystems division, focused on D.C. areacustomers and the Coast Guard. Thenwe have our Enterprise System Division,which used to be called Combat Systemsand provides support to ongoing operationsin Afghanistan and a couple otherplaces. And then we’ve got my division,Strategic Initiatives, and we focus onadvanced technology development.We are doing things for DARPA andother service laboratories and researchand development work, both IRAD aswell as government-funded researchand development.You’re focused on GovernmentOff-the-Shelf [GOTS], I believe?HOUGHTON: Yes, we develop softwarefor desktop, Web, and mobile deviceapplications; we’re predominantly aGovernment Off-the-Shelf softwareprovider: The government owns unlimiteduse rights to everything we develop,so they don’t have to license for eachdeployment. What is nice about thatmodel is that we’ve got this ubiquitousdata access framework on the backendthat can connect up to a lot of differentdata sources. And then we can use thatto push the data out, whether it be to adesktop application, a Web application,or a mobile application. And so we tryto reuse these government off-the-shelfframeworks as much as we can in ourapplications.Can you tell me which governmententities you work with and whichkinds of open source software you’reproviding them?HOUGHTON: Our largest contract isactually with the Air Force ResearchLaboratory [AFRL], and they use ourWebTAS-TK toolkit. It started out as a$350 million indefinite delivery/indefinitequantity [AFRL] contract, but any governmentagency can use [the contract]to purchase software and services. Thetoolkit is software that provides ubiquitousdata access, visualization, and dataanalysis for a wide range of applications.And what’s nice about it is we can buildon top of that framework. [When] youwant to build the new application, wehave a 70 to 80 percent solution at thestarting point and then we can build whatwe call “business layers” on top of thatto extend it to solve different problems.So for the Coast Guard, we could takea piece of Government Off-the-Shelfsoftware, build a business layer on top ofthat that is specific to their requirementsand workload, and they have a solutionwithout having to start from scratch and[without having to] ask for licensing andsoftware. So we replicate that modelacross the government space.We do a lot of work with the Air Forceand the Army and some work with theCoast Guard, as I mentioned. We typicallyprovide them with WebTAS-TK orperhaps CIDNE, which is software thattracks events. So if you have a series ofevents that takes place and you want totrack it and you want to track who was30 March 2012 MILITARY EMBEDDED SYSTEMS

involved, for example, CIDNE enablesyou to do that. So the main two applicationswe deploy to our customer baseright now are WebTAS-TK and CIDNE.We’ve got other types of software thatare more minor applications. We doservice oriented architecture infrastructuresfor the space community and forseveral others.Are WebTAS-TK and CIDNE used bywarfighters or by operators at a desk?HOUGHTON: Yes to both. Theusers could be [soldiers] deployed inAfghanistan, who use the software forvarious visualization/analytical purposes[and transmit that information] topeople who are back in the U.S. usingthe data for Command and Controlpurposes. The Coast Guard is using itfor maritime operations for securingour ports.Let’s drill down on how WebTAS-TKworks.HOUGHTON: Sure. So the softwareitself is predominantly a Java-basedframework that allows us to do databaseconnections. We can use JDBC- orODBC-type connections to connect torelational databases. We can connectto other relational data sources; we canconnect to Web services and variousstreaming data sources. I can’t go intospecific details about specific applicationson the government space, butI can give you some information. Forexample, if you had 20 different relationaldatabases that range from Excelspreadsheets through Access databasesall the way up to enterprise Oracleinstances and you wanted to federatethose into a single data space that couldhave a single logical object monologyou could query against – [WebTAS-TK]provides the ability to federate andprovide that single logical object modeland data space.So once you have that, then we have awhole series of different analytical toolsthat allow you to visualize and analyzedata temporally, geospatially, and internodallyto look for interesting bits ofdata from your federated data space.Tell me more about the Web and mobileapplications you work on.HOUGHTON: On the Web side, we usea wide variety of technologies, anythingfrom Java server faces to Flex and Flash.We do a lot with pure Flash with Flexand ActionScript. We also were doingsome HTML5 applications, and all ofthose have the ability to come throughthe WebTAS-TK backend or provideWeb-based access to that data. In theSolid as a Rock...and twice as Cool!Ruggedized 3U Multi Protocol RAID Systemsno matter how you shake it, bake it, or configure it, everyoneknows the reputation, value and endurance of Phoenix solidstate and rotating disk products. leading the way in ruggedCots data storage technology for decades, Phoenix keeps youon the leading edge with very cool products!We Put the State of Art to WorkAirborne Repeater • AD-HOC • Masterless • QoSWireless InnovationROBUST DESIGN | EXCELLENT SENSITIVITY | MAXIMUM POWER Data Rates up to 1.2 Mbps Adjustable Output Power (1W) Miniature Size (1.25"x2"x0.5") Fully Tested From -40 to +85 ο C Extremely Light (Only 24 grams!)- No Additional Hardware Required! Two Serial Interfaces Ethernet Interface USB Interface300 to 450MHz1.35 to 1.39GHzwww.phenxint.com • 714-283-4800Phoenix international is as 9100/iso 9001: 2008 CertifiedVLAN •*Also Available ina Serial Only ModelProducts Available RangingFrom 300 MHz to 5.8 GHzwww.microhardcorp.com(403) 248-0028MILITARY EMBEDDED SYSTEMS March 2012 31

Industry SpotlightSOFTWARE ANALYSISmobile space we develop on bothiOS and Android, and we get to thosethrough the use of JSON or other transportmedia to get the information from aWebTAS-TK backend to a mobile deviceon the front end.Can you give a scenario of how themilitary would use WebTAS-TK?HOUGHTON: Let’s say you had aCommand and Control applicationrequirement and that you have a databasethat has information on where aparticular aircraft is located. And maybeyou have other sources of informationthat say, “Here is the status of all thevarious bases.” And then you’ve got athird database that has maybe targetsfor flying purposes, and you need tofederate those things so you can planmissions, know what your availableresources are and what their status is,and know which targets you are goingto plan against. And you need the abilityto eventually bring that data togetherfrom these three disparate databasesthat don’t talk to each other in orderto be able to do that planning. That iswhat you could do with this software.You could imagine that could be 50 differentdatabases. Today it is a classicproblem [in the military] of “I’ve got allthese different stovepipes and no way tofederate and look across them such thatI can make those decisions.”Does WebTAS-TK deliver the data,analyses, and so on in real time?HOUGHTON: It’s real time. It canoperate transactionally. So as a databaseor data source gets updated in realtime or when a table gets data addedto it or updated, or a Web service firesan event to say “Hey, something haschanged,” the software can make areal-time update to the displays andthe analytics and notify the operator. Iknow you’re talking embedded systems,so when you talk “real time,” it may beon a different sort of scale or level, butin a database transaction level, we arereal time. If there has been a transactionin the database, we’re talking lessthan a second that the other data isupdated and the operator can be madeaware there has been a change to adatabase table.So the change notificationsare automatically generated bythe software?HOUGHTON: Correct. So the servicespiece that we do is customization ofthe software to a particular domain. Butwe’re not a data producer.Since your products are deployed tothe military or government, is there asecurity feature built into the software?HOUGHTON: Yes. There is a securitymanager built into the software and itdoes go through security accreditationby the appropriate governmentagency(ies) for deployment. Both CIDNEand WebTAS-TK go through accreditationfor every release.Can you tell me more about CIDNE –how it works or a real-life militaryscenario?HOUGHTON: I can’t go into as muchdetail on CIDNE specifically. I am basicallyconstrained as to what is in thepublic domain on the program. But weuse Adobe ColdFusion; it runs on topof the Microsoft SQL Server databaseand allows people to enter events ofinterest and track those events over timeand space.Is it looking for just a preset, specificevent like “I am looking for a manwearing a hat going into a building,”or does it look for similaritiesbetween events?HOUGHTON: In and of itself, it is not ananalytical program. It is really a database,a federated database of events. So reallyit’s a series of forms where people canenter events, and they really can be anykind of event. So it could be that we’vegot burglaries around San Antonio and Iwant to be able to track those burglariesfor the police department. It will allowusers to track who was involved, wherethe burglaries took place, geospatiallyand temporally, and gives you a standardizedway of everybody enteringthat information. But that is just oneclass of events; you could have a thousandclasses of events and you couldtrack them all in a single database. Thatis really what the power of the thing is.You said that military is usingCIDNE now?HOUGHTON: Yes, but I can’t really gointo the details of that, unfortunately.What would you say is the focus ofyour government and militarycustomers? What are the trends?HOUGHTON: I think what we see andagain when you look at constrainedbudgets going forward, they don’t wantto necessarily pay huge licensing fees forsoftware. And then the ability for themto fund just development on the specificfunctionality that they want and theability to rapidly get that functionalityinto their hands.What else – any specific technologycapabilities?HOUGHTON: Yeah, the ability to provideubiquitous data access and connect upto and federate all those data sourcesis something that is very attractive. Theother functional thing that people like isthe ability, for instance, to send outputto Google Earth. Seemingly that is a verysimple thing, but when you get in andsay, “OK, I want to take Google Earthand I want to connect up to 50 differentdata sources with it,” there is not a wayto do that out-of-the-box using justGoogle Earth – especially if those arerelational databases with very complexdata models. And so we have a lot ofusers that use us as kind of an intermediaryto translate from all the databasesthey want to get at and send to GoogleEarth on the other side.All the software your companydesigns – WebTAS-TK andCIDNE and your software for mobiledevices – that’s ALL GovernmentOff-the-Shelf?HOUGHTON: That is correct. Everythingwe do is GOTS.32 March 2012 MILITARY EMBEDDED SYSTEMS

Would there be security issues in usingGOTS software for commercial customers,if your commercial customers knewhow to use the same software thatgovernment customers were using?HOUGHTON: No, because the coresoftware itself is rather innocuous. Thereare no security issues with providingthat in the commercial space. We havegotten approval from the government toactually sell it as a commercial product,so they have gone through the securityreviews and have no issues with it. Wehave also gone through the CommerceDepartment and gotten a commercejurisdiction to sell it externally to foreigncountries. And anytime we dealwith potentially foreign military sales,we have to go through ITAR, which is, ofcourse, a rather involved review beforewe can export anything.Are there any new trends in opensource software?HOUGHTON: The biggest one that weare seeing is the transition to rich Internettechnologies – and the trend over thepast year to push toward more HTML5functionality in the rich Internet applicationspace and even in the mobile applicationspace. With Adobe announcing thisyear that they are giving up on Flash runtimeon the mobile devices and feedingthat to HTML5, it’s really interesting. Oneof the best things with HTML5 is that itprovides the ability to do all the thingsyou can do with Flash in terms of havinga rich experience inside the browser (theability to play video and to play audioand to have interactive content) – withouthaving any plug-ins. HTML5 is still not astandard ratified by the World WideWeb Consortium, so Internet Explorerand Microsoft are still not fully compliantwith the HTML5 spec. But other browserssuch as Google Chrome and Safari areimplementing all the functionality.The other huge growth area that we areseeing is just Android being proliferatedas an open source operating system onmobile devices and really providing an[alternative] to iOS. The fact that youhave an open source operating systemin a mobile space is very attractive. SoI think the proliferation and growth of Android and in particular in the tablet space isgoing to be interesting as they try to compete with the iPad and iOS. MESCarl Houghton, Vice President, Strategic Initiatives & Advanced Technologyat Intelligent Software Solutions (ISS), is responsible for facilitating strategicbusiness development goals across numerous business units in the company.Carl is a combat veteran of the U.S. Air Force. He flew more than 2,000 combathours in support of operations in the Middle East and Bosnia and Herzegovina.He has a Bachelor’s of Science in Information Technology and is a graduatewith honors from the Defense Language Institute in Modern Standard Arabic.Contact him at carl.houghton@issinc.com.Intelligent Software Solutions | 719-457-0690 | www.issinc.comPCIe-287NFPGA AccelerationLow-Profile10GbEPCIe-1802.5GB/s sustained-hostbandwidth5 banks DDR-II SRAM1 bank DDR2 SDRAMPCI Express 1.1Xilinx 7-Series PerformanceTwo user-accessible Kintex-7 FPGAsPCIe Gen 2.0 8-lane supports 5GB/ssustained host bandwidthFour SFP+ network connectionssupporting 1GbE and 10GbEUp to 2 banks DDR3 SDRAMUp to 6 banks QDR-II SRAM5GByte/sSustained-HostBandwidthPCIe-28032 high-speed serial linksenable multi-board scalabilityUp to 4 banks QDR-II SRAMUp to 4 banks DDR2 SDRAMPCI Express 2.0Designed and Manufactured in the U.S.A.www.nallatech.com 805-383-8997 info@nallatech.comMILITARY EMBEDDED SYSTEMS March 2012 33

Industry SpotlightSOFTWARE ANALYSISSymbolic executiontechniques identifyvulnerabilities insafety-critical codeBy Paul AndersonMulticore processors are becomingincreasingly popular in safety-criticalapplications because they offersignificant price and performanceimprovements. However, writingmultithreaded applications formulticore hardware is notoriouslydifficult and could result in catastrophicfailures. The following describessymbolic execution techniques foridentifying issues including dataraces – one of the most commonconcurrency defects – and how staticanalysis can help developers findand eliminate them.U.S. Air Force photo by Senior Airman Nadine BarclayMaximizing performance is especiallyimportant for military embedded systemsbecause of the growing needto keep costs low while satisfying therequirements of connectivity in anincreasingly digital battlefield. As manufacturersreach the limits of what canbe wrung from increased miniaturizationand integration, the best approach toincreased performance is the use ofmulticore processors.The downside is that to take full advantageof many cores executing inparallel, the software must be writtento be intrinsically multithreaded. Softwarewritten to be single-threadedfor a single core processor will realizelittle or no performance benefit whenexecuted on a multicore processor: Itmust be rewritten or adapted to usemultithreading. The key challenge is tokeep the cores busy as much as possible,while ensuring that they coordinateaccess to shared resources properly.Unfortunately writing such code is muchharder than writing single-threadedcode. When there are defects such asdeadlocks or race conditions, they canmanifest in ways that are difficult to diagnose.Traditional techniques for findingand eliminating concurrency bugs maybe ineffective.One of the core reasons why concurrencybugs are so difficult is becausethere is an enormous number of waysin which the events in the threads canbe interleaved when those threadsexecute. As the number of threads orinstructions increases, the number ofinterleavings increases exponentially. Ifthread A executes M instructions andthread B executes N instructions, thereare N+M C N possible interleavings of thetwo threads. For example, given twotrivial threads with 10 instructions each,there are 184,756 possible interleavingsof those instructions. Even with verysmall programs it is clear that it is nextto impossible to test all possible combinations.Secondly, even if it is possible toidentify a single interleaving that leads toa failure, it can be very difficult to set up34 March 2012 MILITARY EMBEDDED SYSTEMS

a repeatable test case that uses that particularinterleaving because schedulingof threads is effectively nondeterministic.Consequently, debugging concurrentprograms can be very expensive andtime consuming. A race condition is aclass of concurrency defect that is easyto accidentally introduce and difficultto eliminate with conventional testing.However, there are techniques programmerscan use to find and remove them.Potential catastrophic failuresCompared to single-threaded code,entirely new classes of defect can occurin concurrent programs, including deadlock,starvation, and race conditions.Such defects mostly cause mysteriousfailures during development that arevery difficult to diagnose and eliminate.One avionics manufacturer wehave worked with spent two personyearsapplying traditional debuggingtechniques in an effort to find the rootcause of an intermittent software failurethat turned out to be a race condition.Sometimes the consequences can bedire – two of the most infamous softwarefailures ever were caused by race conditions.The Therac-25 radiation therapymachine featured a race condition thatwas responsible for the deaths of severalpatients[2]. Similarly, the 2003 Northeastblackout was exacerbated by a racecondition that resulted in misleadinginformation being communicated to thetechnicians[3].There are several different kinds of raceconditions. One of the most commonand insidious forms – data races – is theclass of race conditions involving accessto memory locations.A data race occurs when there are twoor more threads of execution that accessa shared memory location, at least onethread is changing the data at that location,and there is no explicit mechanismfor coordinating access. If a data raceoccurs it can leave the program in aninconsistent state.Consider avionics code that controlsthe position of a flap. In normal circumstancesthe flap is in a position dictated“Compared to single-threaded code, entirely newclasses of defect can occur in concurrent programs,including deadlock, starvation, and race conditions. Suchdefects mostly cause mysterious failures during developmentthat are very difficult to diagnose and eliminate.by the flight control software, but thepilot can override that position bypressing a button on his control panel,in which case a manually set position isused. To keep things simple, let’s saythat there are two threads in the program:one that controls the flap andone that monitors the position of theelements on the control panel. There isalso a shared Boolean variable, namedis_manual, that encodes whether themanual override is set or not. The flapposition thread checks the value ofis_manual, and if true, it sets the positionaccordingly. The control panel threadlistens for button press events, and ifthe override button is pressed, it setsis_manual to true. Figure 1 shows thecode that one might write to implementthis specification. This code islikely to work most of the time; however,because the is_manual variable encodesa state that is shared by both threads,it is vulnerable to a data race becauseFlap position thread...if (is_manual)position = manual_setting;elseposition = auto_setting;set_flap_position();...›Figure 1 | Code in two threads that access a shared variable”access to it is not protected by a lock.If the flap positioning code is beingexecuted at the exact time that the pilothits the override button, then the programmay enter an inconsistent stateand the wrong flap position will be used.Figure 2 shows how this might happen.This example neatly illustrates one ofthe properties of data races that makesthem hard to diagnose: The symptom ofcorruption may only be observable longafter the data race has occurred. In thiscase, the fact that the wrong flap positionis being used may only be noticedwhen the pilot notices the aircraft is notresponding as expected.A widely held belief is that someinstances of data races are benign andcan be tolerated. However, it is now clearbeyond doubt that this is only rarelytrue. The C standard[4] states unambiguouslythat compilers are allowed toControl Panel thread...if (override_button_pressed)is_manual = true;elseis_manual = false;...An interleaving of instructions that causes a data race that results inthe wrong flap position being used1 if (is_manual)2if (override_button_pressed)3is_manual = true;4 position = auto_setting;5 set_flap_position();›Figure 2 | An interleaving of instructions that causes a data raceMILITARY EMBEDDED SYSTEMS March 2012 35

Industry SpotlightSOFTWARE ANALYSISassume that there are no data races, sooptimizers can and do make transformationsthat are valid for improving theperformance of single-threaded codebut which introduce bugs when thereare apparently benign race conditions.These are subtle effects – even experiencedprogrammers are regularly surprisedby them. (See reference [1] for afull explanation and several compellingexamples.) Because of this, to achievehigh levels of assurance and avoid disastrousfailures, it is very important to findand remove all data races.Eliminating concurrency defectsGiven that concurrency defects, anddata races in particular, are so risky,it is important to use multiple techniquesto eliminate them. Traditionaldynamic testing is not well suited forfinding many concurrency defectsbecause of non-determinism. A programthat passes a test hundreds oftimes may later fail in the same environmentwith exactly the same inputsbecause the bug can be exquisitelysensitive to timing. Engineers lookingfor high assurance must turn to othertechniques if they are to eliminate concurrencydefects.Static analysis tools offer a means forfinding such bugs. The key differencebetween testing and static analysis isthat it tests a particular execution ofa program for a given set of inputs,whereas static analysis finds propertiesthat are good for all possible executionsand all inputs. (In practice, static analysistools make approximations to achieveacceptable performance and precision,so fall short of this ideal model.Nevertheless, they do cover many morecases than would ever be possible withtraditional testing.)Roughly speaking, static analysis toolswork by creating a model of the programand by doing a symbolic executionof that model, looking for errorconditions along the way. For example,GrammaTech’s CodeSonar static analysistool finds data races by creating a mapof which locks are held by which threadsand by reasoning about the possibleinterleavings that could result in unsynchronizedaccess to shared variables.Deadlock and other concurrency defects(including lock mismanagement) arefound using similar techniques.Custom concurrency constructs:A case studyStandard defect detection techniques aremost useful when programs use standardways of managing concurrency. Mosttools recognize and can reason about thespecial properties of standard librariessuch as the POSIX threads library orproprietary interfaces such as VxWorks.However, many systems use custom techniquesfor managing concurrency.For example, another manufacturer weworked with built a safety-critical deviceon a platform that used a custom preemptivemultithreaded software interface.In this design, a key constraintwas that all data instances that could beaccessed from multiple priority levels ofthreads had to be protected with properguard constructs. Prior to using staticanalysis, validating that this constraintwas respected required a person-monthof manual analysis. To reduce the cost,36 March 2012 MILITARY EMBEDDED SYSTEMS

they sought a solution by turning tostatic analysis. An important property ofmodern advanced static analysis tools isthat they are extensible: They providean API with abstractions that make itconvenient to implement custom staticanalysisalgorithms. Using CodeSonar’sAPI, they were able to program a solutionthat piggybacked on the algorithmsused at the core of the existing analysesto find locations in the code where thedesign constraint was being violated.The resulting tool, implemented as aplug-in, is able to find violations of thekey constraint automatically, all at a fractionof the cost and in much less timethan was previously possible.Multicore trade-offThere are compelling reasons to moveto multicore processor designs, but therisk is that doing so introduces the possibilityof concurrency defects in thesoftware. These are easy to introduce– even apparently innocent code canharbor nasty multithreading bugs – andnotoriously difficult to diagnose and eliminate when they occur. Traditional testingtechniques alone are inadequate to ensure high-quality software, mainly because ofthe high degree of nondeterminism. The use of advanced static analysis tools that usesymbolic execution is one approach that can help because such tools can reason aboutall possible ways in which the code can execute. These tools can find defects such asdata races and deadlocks in code that uses standard multithreading libraries, and caneven be adapted to designs that use nonstandard concurrency constructs. MESReferences[1] Boehm, H.-J., How to miscompile programs with “benign” data races. In HotPar’11Proceedings of the 3rd USENIX conference on Hot topics in parallelism.[2] Leveson, N.G., An investigation of the Therac-25 accidents. IEEE Computer, 1993. 26:pp. 18-41.[3] Poulsen, K., Tracking the blackout bug, www.securityfocus.com/news/8412.[4] C Standards Committee (WG14). Committee Draft: www.open-std.org/jtc1/sc22/wg14/www/docs/n1539.pdfPaul Anderson is VP of Engineering at GrammaTech.He received his B.Sc. from Kings College, University of Londonand his Ph.D. in Computer Science from City University London.Paul manages GrammaTech’s engineering team and is the architectof the company’s static analysis tools. Paul has worked in thesoftware industry for 20 years, with most of his experience focusedon developing static analysis, automated testing, and programtransformation tools. Contact him at paul@grammatech.com.GrammaTech, Inc. | 607-273-7340 | www.grammatech.comMission ComputersThe latest safety-critical and certifiableUAV mission computer solutions from CESprovide high-level flight management,mission management and payloadmanagement functionalities.Headquartered in Geneva, Switzerland, CES - Creative Electronic Systems SA has been designingand manufacturing complex high-performance avionic, defense and communication boards,subsystems and complete systems for thirty years (such as ground and flight test computers,ground station subsystems, radar subsystems, mission computers, DAL A certified computers,video platforms, as well as test and support equipment). CES is involved in the most advancedaerospace and defense programs throughout Europe and the US, and delivers innovativesolutions worldwide.For more information: www.ces.chMILITARY EMBEDDED SYSTEMS March 2012 37

Industry SpotlightSOFTWARE ANALYSISAutomatedperformancemeasurement andtiming analysis helpmilitary embeddedsystems avoid earlyobsolescenceBy Dr. Andrew CoombesThe ongoing success of militaryembedded systems on land, sea,and air depends on the ability tomodify the systems to meet emergingrequirements. Over time, accumulatedmodifications to software-basedsystems result in degradation ofthe performance of that system.Eventually, the resulting performancedegradation leaves system developerswith the choice of either abandoningplanned new features or replacingthe hardware and accepting earlyobsolescence. There is an alternative.Automated performance measurementand timing analysis technology providedevelopers with the tools to optimizeaway much of the performancedegradation resulting fromaccumulated modifications, therebyavoiding either abandoning featuresor early obsolescence.Photo courtesy of BAE SystemsMilitary embedded systems are typicallyenhanced many times during theirlifetime. Many of these enhancementsare software updates. Over time, thesoftware updates cumulatively increasethe demands placed on the computingplatform. This can lead to the hardware’scapabilities becoming insufficient tomeet application demands, potentiallyresulting in intermittent failures.System developers then face the difficultchoice of either abandoning plannednew features, leading to capabilitydecay, or replacing the hardware (thatis, early obsolescence).A viable alternative requires the identificationof high-impact, low-risk strategiesfor optimizing software, thereby maximizingthe service life of the computingplatform. This alternative includes automatedperformance measurement andtiming analysis.The problem of performanceMilitary embedded systems, and especiallyavionic systems, such as theBAE Systems Hawk’s mission controlcomputer, are often real-time embeddedsystems. Real-time systems are distinct38 March 2012 MILITARY EMBEDDED SYSTEMS

ecause their correct behavior depends both on their operations being logically correct,and on the time at which those operations are performed. Engineers developingthese systems must be able to provide convincing evidence that the software alwaysexecutes within its time constraints.The nature of software means that every time it is executed, it could take a differentpath through the code, leading to different execution times. Even when using thesystem in the same way, differences in the internal state could mean that the user seeswidely varying execution times. Because of this, it is entirely possible to rigorously testsoftware without seeing any timing problems, then to encounter a situation in actualuse that results in significant timing problems. So to be sure a system always meetsits execution time, it is necessary to establish its Worst-Case Execution Time (WCET),which is also a consideration for DO-178B.Finding Worst-Case Execution TimeMeasurement is an approach often taken to obtain confidence in the timing behaviorof a real-time system. To measure timing, engineers typically place instrumentationpoints at the start and end of sections of code they wish to measure. These pointsrecord the elapsed time, either by toggling an output port (monitored via an oscilloscopeor logic analyzer) or by reading an on-chip timer and recording the resultingtimestamps in memory.Unfortunately, these high-water marks might not reflect the longest time that thecode could take to execute. This happens when the longest path through the codehas not been exercised by tests, as illustrated in Figure 1. Two tests, represented inFigure 1 by the green path and the blue path, are run. The observed execution timesfrom these tests are 110 and 85 respectively. Despite these tests executing all code inthe software, there is a third path (shown in red), which has an execution time of 140,making it the longest path.›(f1)(f3)(f4)110 140 85(f2)Figure 1 | Execution paths:High-water marks might not reflectthe longest time that the code couldtake to execute. This happens when thelongest path through the code has notbeen exercised by tests.U.S. Air Force photo by Airman 1st Class Laura GoodgameTCS Space & Component Technology Solid State Drives• Made with industrial-temperature SLC Flash memory for the mostextreme conditions• Rigid circuit board mounting and encasement for shock andvibration resistance• High performance secure erase protocols for quick sanitization of data• Meets stringent MIL-STD-810 specifications• Designed and built in the USA in AS9100 facilities, ensuring thehighest qualityThe world’s top aerospace and defense companies count on TCS for theirmission critical systems…shouldn’t you?For more information call 800-307-9488http://bit.ly/sctupdatesmeswww.telecomsys.com©2011 TeleCommunication Systems, Inc. (TCS). All rights reserved.MILITARY EMBEDDED SYSTEMS March 2012 39

Industry SpotlightSOFTWARE ANALYSISThis example shows that simply executingall code isn’t enough to exercisethe longest path. For nontrivial code, itis very hard to devise tests that are certainto drive the code down its longestpath. This situation can be avoided byadding instrumentation points at eachdecision point in the code. Wheneveran instrumentation point is executed,its ID and a timestamp are recorded.Running a series of tests on the systemresults in the creation of a timing trace.Combining the timing information fromthe trace with information about thestructure of the code makes it possibleto find information about the timingbehavior of the software, includingpredictions of WCET.For typical military applications, whichcan run into millions of lines of code, itwould be extremely laborious to instrumentprograms by hand; moreover, thevolume of trace data typically producedwould make manual attempts to combinetrace data with program structuralinformation infeasible. Fortunately,the tasks of program instrumentation,trace processing, combining trace datawith program structural information,and data mining/presentation are allamenable to automation. RapiTimefrom Rapita Systems is an automatedperformance measurement and timinganalysis technology that helps solvethe challenge of obtaining detailedtiming information about large militaryembedded systems implemented in C,C++, or Ada.Performance optimizationKnowing the WCET is only one partof the solution: When faced with theproblem of a software component thatoverruns its execution time budget, itis essential that a systematic, scientificapproach is taken to optimizing thecomponent’s performance.Where is the best place to optimize?In a typical complex application:(1) Most subprograms are notactually on the worst-case path;they contribute nothing to theworst-case execution time.Optimization of these subprogramswould not reduce the WCET at all.(2) Many subprograms contribute asmall amount to the WCET and sodo not represent good candidatesfor optimization. Effort spentoptimizing these subprogramswould not constitute an effectiveuse of resources.(3) A small number of subprogramscontribute a large fraction of theoverall WCET (Figure 2). Therefore,the subprograms are potentialcandidates for optimization.By inspecting WCET information, engineerscan easily identify a relativelysmall number of components whereoptimization could potentially have alarge impact on the overall worst-caseexecution time.Am I improving things?It is sometimes tempting to try to shortcircuit the analysis process by guessingwhere the worst-case hotspots are, optimizingthat code, and then seeing whatthe effects are. However, the experienceof software optimization tells us thateven highly skilled software engineersCumulativecontributionto theWCET 100%“Often it seems soobvious – ‘It must bethat section of code thatmakes all those floatingpointcalculations thatis the best candidatefor optimization’ – whenactually, some innocuouslookingassignment hidesa memory copy that istaking nearly all ofthe time.”with an in-depth understanding of theircode find it almost impossible to identifythe significant contributors to the WCET,and hence the best candidates for optimization,without access to detailedtiming information.Often it seems so obvious – “It mustbe that section of code that makes allthose floating-point calculations thatis the best candidate for optimization”– when actually, some innocuouslookingassignment hides a memorycopy that is taking nearly all of the time.The answer to this problem is simple:Don’t guess, measure. Then repeat the(1) Most sub-programs contributenothing to the WCET (they arenot on the worst-case path)(2) Many sub-programs contributea small amount to the WCETSoftware performance optimizationrequires three questions to be answered:››Where is the best place to optimize?››Is the proposed optimization makingan improvement?››How much improvement can bemade?0(3) A small number of subprogramscontribute a largefraction of the WCETNumber of sub-programs All (100%)›Figure 2 | Cumulative contribution of subprograms to the overall WCET40 March 2012 MILITARY EMBEDDED SYSTEMS

SOFTWARE ANALYSISIndustry SpotlightPartition Language Notes Optimization Level Percentage ImprovementU Ada High data throughput Design level 60%V Ada Spark exception Low level 10%W Ada Efficient block copy Sub-program 40%X Ada Multiple simple optimizations Low level 10%Y Ada Efficient block copy Design level 50%Z Ada Loop variables Sub-program 15%›Table 1 | Optimization improvements on a BAE Systems Hawk mission computermeasurement to quantify the improvement(or lack thereof).How much improvement canbe made?Table 1 indicates the level of improvementsin Worst-Case Execution Timesthat can be obtained through a simpleprocess of software optimization. Theseresults were achieved using RapiTimetechnology to provide detailed timinginformation on the mission computerof a BAE Systems Hawk. These optimizationsled to an overall decrease of23 percent in WCET.The benefits of WCET andperformance optimizationAccess to automated performancemeasurement and detailed timinganalysis during the modification of militaryembedded systems can provide anumber of advantages to the developer:1. A systematic and scientificapproach is utilized in obtainingconfidence in the system’s timingbehavior.2. Detailed information aboutworst-case execution time allowscandidates for optimization to bequickly identified.3. Automated measurement allowsthe effectiveness of candidateoptimizations to be assessed.The ability to do the best possibletiming optimizations means avoidingmaking the hardware unnecessarilyobsolete and eliminating the needto abandon planned new features orreplace the hardware and accept earlyobsolescence. MESDr. Andrew Coombes is Marketing and Engineering ServicesManager at Rapita Systems. For the past 15 years, he hashelped develop and commercialize software tools for embedded,real-time applications. He received his DPhil in ComputerScience at the High-Integrity Systems Engineering Group at theUniversity of York (UK) before working in a consultancy and for theBAE Systems Dependable Computing Systems Centre (DCSC).Contact him at acoombes@rapitasystems.com.Rapita Systems+44 1904 567747www.rapitasystems.com MILITARY EMBEDDED SYSTEMS March 2012 43

MC-130J avionics to DO-178B tool from PresagisManaging avionics safety certification challenges is a costly andtime-consuming procedure, whether it is in military or commercial aircraft.Engineers at Presagis in Montreal, though, are making it a little easier formilitary avionics designers through a Human Machine Interface (HMI)solution called VAPS XT-178.The tool, which is being used by Lockheed Martin Aeronautics engineersfor developing embedded graphics displays on the MC-130J Increment 3program run by the Air Force Special Operations Command (AFSOC), can beused with ARINC 661 and non-ARINC 661 programs. Through its runtime architecture, it can produce displays that run onmultiple hardware and software environments. The Presagis tool also has a path for compliance with the new DO-178Cguidance standard. VAPS XT-178 is based Presagis’s VAPS XT.Presagis | www.mil-embedded.com/p367430 | www.presagis.comSDR enabled by Virtex-7 FPGA modules from PentekFPGAs are a game changer for many signal-processing applications and especially forSoftware-Defined Radio (SDR). Each generation of FPGA enables more performance thanthe previous generation, enabling designers to shrink the footprint of military systems, providingmore and more performance in even smaller packages. The new Onyx Virtex-7 line of FPGAmodules is another example of that trend. The new Model 71760, the next generation of thecompany’s Virtex-6 Cobalt line, is a four-channel, 200 MHz A/D XMC module targeted at SDR andsignal-processing applications in military radar, communication, and Unmanned Aircraft System(UAS) programs.The new Onyx devices have the same modular I/O interfaces as their Virtex-6 FPGA Cobalt line ofproducts, while increasing memory, I/O performance, and logic. The 71760, for instance, is similarto the Pentek Cobalt 71660, but has twice the memory capacity and I/O bandwidth. Because of the compatibility ofCobalt and Onyx, developers will be able to port software originally designed for Cobalt to corresponding Onyx modules.Enhancements in the Onyx product line include doubling the DDR3 memory in size and speed to 4 GB and 1,600 MHz,respectively. The PCIe interface was upgraded to Gen 3, delivering speeds as fast as 8 GBps. The 71760 FPGA comespreconfigured with a suite of built-in functions for data capture, synchronization, tagging, and formatting. Onyx alsohas enhanced FPGA loading modes for easier live reconfiguration. About 12 more Onyx products will be releasedthroughout the year.Pentek | www.mil-embedded.com/p367433 | www.pentek.comNew control unit provides Condition Based Maintenance (CBM)for military ground vehiclesLeveraging Intel Atom-based processing technology, engineers at Aitech Defense Systemsin Chatsworth, CA, are able to provide a rugged, lightweight, control unit for military groundvehicles. The NightHawk RCU, weighing only 4.5 lbs, provides Condition Based Maintenance(CBM) for military tracked and wheeled vehicle applications to reduce the overhead costs ofpreventative vehicle maintenance.The NightHawk, which has a slimmer profile than similar models, also can be used fordata concentrator and remote interface applications such as manned and unmanned groundor airborne vehicles as well as low Size, Weight, and Power (SWaP) Data Concentrator Unit (DCU) and Remote InterfaceUnit (RIU) applications. The device is also designed for extreme environments through natural convection/radiation coolingthat dissipates as much as 22 W at +55 °C in stagnant (non-flowing) air, or at as hot as +71 °C with an optional low-pressurefan or baseplate.Using a low-power Intel Atom processor that operates at 1.6 GHz, the new Aitech product provides as much as 2 GB DDR2SDRAM as well as between 4 and 8 GB of SSD memory with an optional expansion up to 250 GB for extended and remotedata collection and storage applications. Optional I/O includes MIL-STD-1553B, ARINC 429 and ARINC 708, CANBus, WiFiand WAN ports, as well as video capture and processing, discrete and analog I/O, and an eight-port GbE switch.Aitech Defense Systems | www.mil-embedded.com/p365005 | www.rugged.comEditor’s Choice Products are drawn from OSM’s product database and press releases. Vendors may add their new products to our website at http://submit.opensystemsmedia.com and submit press releases athttp://submit.opensystemsmedia.com. OSM reserves the right to publish products based on editors’ discretion alone and does not guarantee publication of any product entries.MILITARY EMBEDDED SYSTEMS March 2012 45

GEIntelligent PlatformsLeadership and experiencein avionics bus protocolsDiscover why more engineers continue to rely on our two decades of avionicsexpertise and productsFor more than 20 years, GE Intelligent Platforms has been a major supporter of game-changing avionics protocolssuch as MIL-STD-1553 and ARINC 429 as well as newer technologies such as 10Mbit 1553 and Avionics Full DuplexEthernet (AFDX). We continue to invest heavily in the avionics products needed for where you are today and whereyou’ll be tomorrow. We also offer best-in-class avionics support through online knowledge bases and on-call or evenon-site technical experts, as well as our Product Lifecycle Management program.To launch your next avionics design project,download our Avionics products brochure at:defense.ge-ip.com/av-brochureor scan the QR code with your smart phone© 2012 GE Intelligent Platforms, Inc. All rights reserved.All other brands or names are property of their respective holders.

Critical Recording in Any ArenaWhen You Can’t Afford to Miss a Beat!Introducing Pentek’s expanded line of Talon TM COTS,rugged, portable and lab-based recorders. Built tocapture wideband SIGINT, radar and communicationsignals right out-of-the-box:• Analog RF/IF, 10 GbE, LVDS, sFPDP solutions• Real-time sustained recording to 2.2 GB/sec• Recording and playback operation• Analog signal bandwidths to 1 GHz• Shock and vibration resistant Solid State Drives• GPS time and position stamping• Hot-swappable storage to Windows ® NTFS RAIDs• Remote operation & multi-system synchronization• SystemFlow ® API & GUI with Signal Analyzer• Complete documentation & lifetime supportPentek’s rugged turn-key recorders are built andtested for fast, reliable and secure operation in yourenvironment.Call 201-818-5900 or go towww.pentek.com/go/mestalonfor your FREE online High-Speed Recording SystemsHandbook and Talon RecordingSystems Catalog.Pentek, Inc., One Park Way, Upper Saddle River, NJ 07458 • Phone: 201.818.5900 • Fax: 201.818.5904 • e-mail:info@pentek.com • www.pentek.comWorldwide Distribution & Support, Copyright © 2012 Pentek, Inc. Pentek, Talon and SystemFlow are trademarks of Pentek, Inc. Other trademarks are properties of their respective owners.