By Paul Parkinson
RTCA DO-178C / EUROCAE ED-12C safety certification is a crucial step for safety-critical avionics software programs, but for many program managers and software leads it still poses significant risk, especially when using multi-core processors. This risk is mainly due to the fact that certification authorities have not yet issued formal guidance or policy on multi-core certification. Although FAA has published the CAST-32A position paper on objectives for multi-core certification which should be considered when planning for multi-core systems, industry is still gaining experience in how to enhance established processes and best practices to support multi-core certification. This was an opportunity for Wind River and a leading avionics supplier, Rockwell Collins, to prove industry leadership and certify the first system that robustly executes multiple functions with mixed DAL assignments on multiple cores within a single system-on-chip (SoC) processor.
With nearly 40 years of experience providing safe and secure solutions to the aerospace and defense market, Wind River recognized early on that developing DO-178C certification evidence for VxWorks 653 Multi-core Edition in isolation and without feedback from avionics customers or certification authorities, would present technical and certification risk. For these reasons, Wind River instead undertook a collaborative approach to multi-core certification with a leading avionics supplier.
The certification journey
In June 2017, Wind River announced the release of COTS certification evidence for VxWorks 653 Multi-Core Edition, with the availability of a DO-178C DAL A certification package for a multi-core PowerPC processor. In his blog post, Stephen Olsen outlined the benefits of this COTS certification package, including that it “Removed significant certification and deployment risk from FAA programs.” One of the reasons for this statement is that Wind River had employed a strategy to reduce technical risk and program risk for multi-core certification, by collaborating with our lead customer, Rockwell Collins, on an FAA Program of Record.
This approach provided Wind River with early validation of the VxWorks 653 Multi-core Edition software architecture and proposed approach to multi-core certification through the DO-178C process Stages of Involvement (SOI) audits. This greatly reduced the technical risk and program certification risk, and resulted in the release of the DO-178C DAL A Certification Package for VxWorks 653 Multi-core Edition on QorIQ T2080 PowerPC SoC Wind River has completed all requirements for SOI 4 (final certification review), and these requirements were accepted by Rockwell Collins in Q2 2018.
This customer journey, together with the strategic milestones, is now detailed in this Wind River and Rockwell Collins joint technical paper. It describes the approach taken by both companies to achieve DO-178C DAL A certification on multicore, and shares some technical insights and lessons learned. Wind River and Rockwell Collins are also intending to present a more detailed conference paper at forthcoming avionics and safety-critical conferences.