Leading the Embedded World

Primary Flight Display and Multi-Function Display

A primary flight display (PFD) combines all critical flight instruments onto a single screen. Those instruments typically include an airspeed indicator, turn coordinator, attitude indicator, heading indicator, altimeter, and vertical speed indicator. A PFD can be an integrated unit that includes the computer and a display or an avionics computer driving separate displays. Given the criticality of the information, PFDs generally operate at RTCA/DO-178 (EUROCAE ED-12) Design Assurance Level (DAL) A.

A multi-function display (MFD) is an integrated display with configurable soft keys and the ability to run several different avionics applications and display different data sets on different pages. A mission computer serves as the control center of a military aircraft, providing advanced situational awareness and control of combat and weapons systems.

C-5M Cockpit Super Galaxy Cockpit

The INTEGRITY-178 tuMP RTOS is used broadly for both PFDs and MFDs. Example systems include the PFD-capable PU-3000 Avionics Computer and MFD-3068 Smart Multi-Function Display, both from CMC Electronics. Example aircraft deployments include C-5M Super Galaxy, RC-135, and C-130J aircraft as well as the S-92 and T-70 helicopters.

Mission Computing

A mission computer serves as the control center of a military aircraft, providing advanced situational awareness and control of combat and weapons systems. Its functions can include mission management, flight planning, weapons stores, display processing, sensor processing, information management, data fusion, and health monitoring.

Each of those functions can demand high computing performance; consequently, getting high utilization from modern multicore processors is a critical goal. The INTEGRITY-178 tuMP RTOS provides high-assurance multicore operation with multiple multiprocessing options to optimally schedule and allocate computing resources to those mission functions.

Example deployments include Northrop Grumman’s FlightPro™ Gen II and Gen III Mission Computer for UH-1Y and AH-1Z helicopters, as well as the mission computers on the C-130J and the combined MFD and mission computer on the T-70 helicopter.

Mission Computer for the AH-1Z and UH-1Y Helicopters

Flight Control Computer

The primary flight control computer (FCC), also called flight control electronics, uses input from multiple sensors, such as altimeters and velocity sensors, in combination with position and force inputs from the pilot controls to compute and transmit commands to the primary surface actuators to control and maintain normal flight. The FCC continuously monitors the aircraft and environment to automatically prevent undesirable flight situations, such as stalling. Because it is integral to the safe operation of the aircraft, the FCC normally operates at DAL A.

An example deployment of INTEGRITY-178 is in Honeywell’s flight control electronics for the Boeing 787 Dreamliner, which includes the autopilot and the fly-by-wire system.

Boeing 787 Dreamliner

Engine Controls

A digital engine control unit (ECU) monitors engine temperatures, engine pressure, air density, and many more sensors to automatically adjust engine settings to optimize performance and control engine output while responding to the pilot’s throttle.

Some ECUs are Full Authority Digital Engine Controls (FADECs), which have complete control of the engine without pilot backup. For increased assurance, a FADEC generally consists of two dissimilar, mechanically separated channels operating independently but cooperating with each other. The second channel provides full flight capability should a failure occur in the primary channel.

EMC-100 Full Authority Digital Engine Control

ECUs often can handle multiple software applications while monitoring engine health, reducing recurring engine costs, and improving logistics. Such systems are designed to operate at DO-178/ED-12 DAL A, but the partitioning in INTEGRITY-178 enables non-critical functions to be developed to lower levels, thereby reducing life-cycle costs. As an example, INTEGRITY-178 is deployed across TRIUMPH’s full line of ECUs, including the EMC-100 FADEC.

Flight Management System

A flight management system (FMS) provides in-flight management of the flight plan to improve fuel efficiency, reduce pilot workload, and improve safety. An FMS uses GPS and other sensors to determine the aircraft’s position and then guides the aircraft along the flight plan. This includes determining the most economical speed to fly during the cruise phase as well as the ideal descent for landing. Although some FMS operate at DAL C, many instrument approaches require a navigation system certified to DAL B.

An example FMS deployed with INTEGRITY-178 is CMC Electronics’ CMA-4000 Flight Management System. FMS functionality can also be included in more powerful avionics computers and multi-function displays, such as CMC’s PU-3000, CMC’s MFD-3068, and ASELSAN’s combined MFD and mission computer.

CMA-4000 Flight Management System from CMC Clectronics

Traffic, Collision, and Terrain Avoidance

A traffic alert and collision avoidance system (TCAS) monitors the surrounding airspace for other aircraft equipped with an active transponder and warns if those aircraft present a threat of mid-air collision. To do that, the TCAS computer performs airspace surveillance, intruder tracking, and collision avoidance maneuver determination.

A terrain awareness and warning system (TAWS) is an avionics system designed to prevent unintentional impacts with the ground, also known as controlled flight into terrain (CFIT) accidents. TAWS collects aircraft position, speed, and direction data from GPS and compares them to a database of the earth's terrain and manmade obstacles.

It is common for TCAS and TAWS functionality to be combined in a single system. Example deployments of INTEGRITY-178 in such combined systems include the Boeing 787 surveillance system, which includes traffic, collision avoidance, terrain, and weather, and the T²CAS from Aviation Communication and Surveillance System (ACSS), a joint venture of L-3 Communications and Thales Company.

Degraded Visual Environment Systems

Landing a helicopter in a degraded visual environment (DVE) is one of the most challenging tasks for a pilot, particularly when some of that condition is created by rotor wash blowing up a cloud of dust, sand, or snow. The reduced situational awareness significantly increases the risk of dynamic rollover and hard landing, potentially resulting in the loss of the aircraft and crew. Yet, missions such as combat search and rescue (CSAR) require difficult landings with little to no visibility of the landing area.

DVE mitigation solutions fall into a few broad categories: enhanced vision, synthetic vision, and a combination of the two. Enhanced vision uses sensors to penetrate the blinding environmental conditions and provide real-time imagery of the external scene. Those sensors typically are some combination of infrared (IR), millimeter-wave radar, and lidar. When more than one sensor is used, the images need to be fused into a single scene. Synthetic vision is a computer-generated image of the external scene topography derived from a terrain database. The computer-generated image is typically displayed as background on a primary flight display (PFD) with the PFD guidance symbology displayed on top. A combined vision system uses both enhanced vision and synthetic vision, thereby gaining the advantages of both.

DVE mitigation systems help pilots overcome the loss of visual reference, such as landing in brownouts (photo by Tech. Sgt. Jason van Mourik, Origon Military Department Public Affairs).

Sensor fusion is computationally intensive and can include geo-registering 3D data and scaling, translating, dewarping, and aligning the images. The resulting scene needs to be displayed with low latency, typically less than 100 ms from when the images were acquired. Addressing these performance requirements during the critical landing stage leads to the need for a safety-critical multicore real-time operating system (RTOS).

Two examples of DVE systems are the SureSight™ SVS synthetic vision system from CMC Electronics and the Degraded Visual Environment Pilotage System (DVEPS), a combined vision system from Sierra Nevada Corporation (SNC). Both systems use the INTEGRITY‑178 tuMP safety-critical real-time operating system (RTOS) from Green Hills Software running concurrently on multiple cores of a multicore processor. The SureSight SVS runs on a quad-core Power Architecture® processor, and DVEPS runs on a quad-core Intel® Core™ i7 processor. DVEPS is deployed on HH-60M MEDEVAC Black Hawk utility helicopters, as well as MH-60M and MH-47G, which are special operations versions of the Black Hawk and Chinook helicopters. For more information, see our application note on DVE solutions.

GPS and other Position, Navigation, & Timing

Almost every part of our modern economy depends on the Global Positioning System (GPS). In commercial aviation, GPS enables increased capacity, shortened flight times, and reduced fuel consumption. It also increases safety by providing vertical guidance during landings and enabling TAWS to warn of trajectories too close to the ground. In the military, forces depend on GPS to navigate in hostile territory, guide munitions precisely, locate casualties for rescue, and fuse intelligence, surveillance, and reconnaissance data. Our broad reliance on GPS signals makes them a prime target for disruption, including jamming, spoofing, and hacking. Solutions for jamming and spoofing get considerable attention. For example, the new military code (M-code) GPS signal includes a stronger signal to mitigate jamming and stronger encryption to prevent spoofing.

GPS III Satellite Capable of Transmittion M-Code

A comprehensive solution to jamming supplements GPS with other forms of position, navigation, and timing (PNT) information. A typical solution includes an internal inertial navigation system (INS) updated with position information from some other form of alternative navigation such as visual navigation from onboard imaging sensors.

Jamming and spoofing of GPS signals are major concerns that are being addressed. A hacked GPS receiver or other PNT system can act similarly to a spoofed receiver and provide false position and timing information. That false information can direct vehicles into an ambush or direct an aircraft into a collision with an object or the ground. The software foundation for a hacking solution is a separation kernel acting as a security monitor, which isolates each application and its data so that any hacked or malicious application cannot access any other part of the system. The INTEGRITY-178 RTOS is a proven high-assurance solution that has been certified to Common Criteria EAL 6+ and the NSA-defined Separation Kernel Protection Profile. Example GPS and PNT customer designs using INTEGRITY-178 include the MSI ASIC from Raytheon Intelligence & Space (RI&S) for their offering in the Military Global Positioning System User Equipment (MGUE) Increment 2 program and Northrop Grumman’s Global Navigation Air Data Inertial Reference Unit deployed on A380 and other Airbus aircraft.

Software-Defined Radios

Modern military software-defined radios (SDRs) are multi-function, open architecture solutions that support a wide range of integrated communications and networking mission functions across multiple domains. They often form the core of integrated avionics suites and communications, navigation, and identification (CNI) systems. Most airborne SDRs require safety certification, up to DAL A, and some SDRs also require cyber hardening and security certification. The multi-functional nature of SDRs benefits from the higher performance of multicore processors, demanding a solution for multicore interference. INTEGRITY-178 tuMP is the only RTOS or hypervisor that provides a general solution for multicore interference mitigation.

US Army Helicopters Using the IDM-401 Integrated Data Modem include the CH-47 Chinoo, AH-64 Apache, and UH-60 Black Hawk

One example deployment is the Integrated Data Modem (IDM-401) program, which was upgraded to the INTEGRITY-178 tuMP RTOS in order to utilize more than one core in the multicore processor while maintaining operation at DO-178C DAL A. The IDM-401 is the common solution for digitizing Army Aviation and is fielded on every modernized, rotary-wing Army aircraft, including the CH-47 Chinook, AH-64 Apache, and UH-60 Black Hawk.

Tactical data links, such as Link 16, provide modern forces the secure communication to enhance situational awareness, transfer critical data, and ensure command and control execution capability, even in contested environments. Because tactical data links often communicate data at multiple security levels, those systems require the highest level of security assurance.

The INTEGRITY-178 RTOS provides the highest level of security assurance, having been certified to the NSA-defined Separation Kernel Protection Profile (SKPP) for high robustness and to Common Criteria EAL 6+. An example deployment is for the U.S. Air Forces C-130J’s Special Mission Display Processor, which controls the flow of secure and unsecure information between aircraft systems and incorporates Link 16 situational awareness.

C-130J Super Hercules Military Transport Aircraft

Tactical Cross Domain Solutions

A tactical cross domain solution (CDS) enables information to be shared across different security domains in harsh and contested tactical environments, such as military aircraft, ships, and ground vehicles. Tactical CDS systems are a critical part of a multi-domain operational environment where warfighters need data at their fingertips to make real-time decisions.

Current CDS systems are required to meet the “Raise the Bar” (RTB) set of security standards first published in 2018 by the National Cross Domain Strategy Management Office (NCDSMO) within the NSA. RTB standards ensure that CDS systems are at low risk of failing, even under persistent attack. RTB is designed to combat evolving threats by continually improving CDS effectiveness.

US and Coalition 5thand 4th Generation Aircraft Train Together Using TCTS II

INTEGRITY-178 tuMP is the only real-time operating system (RTOS) ever used as part of a certification to RTB standards. Collins Aerospace is using INTEGRITY-178 tuMP in their small form-factor, tactical CDS being deployed on the U.S. Navy’s Tactical Combat Training System Increment II (TCTS II) program and is targeted for the U.S Air Force’s P6 Combat Training Systems (P6CTS). TCTS II fields the first certified multi-level security (MLS) training equipment in both airborne and ground equipment to protect the tactics, techniques, and procedures being used.