Blackberry QNX Meets FACE Adoption: And Now for Something Completely Different
Written by Chip Downing
October 27, 2022
Part 8 of the RTI Military Avionics Blog Series
From time to time, the path to new avionics innovations can be nothing short of inspirational – and this is definitely one of those times. Let me start by saying how delighted I am to share that BlackBerry® QNX® recently achieved certified conformance to the Future Airborne Capability Environment (FACE™) Technical Standard, Edition 3.1, using the FACE Operating Systems Segment (OSS) General Purpose Profile. This is really exciting and different, and this blog will help explain why.
In my previous Military Avionics blogs, I described the FACE OSS in the context of application separation using ARINC 653 and the related supplier role separation using RTCA DO-297. What I did not describe in detail was FACE OSS Profiles. There are four FACE OSS profiles with different combinations of ARINC 653 and POSIX support.
- FACE OSS Security Profile – ARINC 653 required, 173 POSIX calls required
- FACE OSS Safety Base Profile – ARINC 653 required, 252 POSIX calls required
- FACE OSS Safety Extended Profile -- ARINC 653 required, 315 POSIX calls required
- FACE OSS General Purpose Profile -- ARINC 653 optional, 675 POSIX calls required
ARINC 653 is used primarily in avionics programs, and most ARINC 653 suppliers have commercial RTCA DO-178C DAL A certification evidence. By design, there are only 56 APIs in the ARINC 653 standard, and these tend to be not overly complex, due to the cost of aircraft certification.
On the other hand, POSIX® (Portable Operating System Interface) is a family of standards specified (and trademarked) by the IEEE Computer Society for maintaining compatibility between variants of Unix operating systems from different suppliers. Unix of course emerged from the telecommunications industry, first invented by Brian Kernighan and Dennis Ritchie at AT&T Bell Labs in the 1960s, Unix was then used in minicomputer and mainframe computers, as suppliers began to transition from proprietary operating systems to an environment that could enable application portability across different enterprise computer platforms. Today, the POSIX standard continues to be managed by the IEEE and The Open Group and both organizations manage POSIX conformance tests. POSIX now supports over 1,000 system calls, as well as the Linux operating system. Linux is now the most popular implementation of POSIX, and most software developers, including avionics software developers, use Linux as a prototyping and development environment.
The QNX® Neutrino® Real-Time Operating System (RTOS) is based upon the POSIX standard. BlackBerry QNX is based in Ottawa, Canada, and has a strong following in the automotive industry – it was even owned by Harman International, an automotive company, until BlackBerry purchased them in 2010. (Harman International is now owned by Samsung.) As autonomous automobiles evolved, it was eminently logical that these new systems would continue to use QNX as their operating system of choice.
But outside of old James Bond films, automobiles of course do not fly. At least not yet. So DO-178C is not the safety certification standard of choice. Automotive, industrial, and autonomous automotive safety standards are derived from IEC 61508 and ISO standards, and the current standard for automotive autonomy is ISO 26262. Safety levels vary based on the standard, so instead of DO-178C Design Assurance Levels (DAL) ranging from A (highest) to E, we have ISO 26262 ASIL levels ranging from D to A, with ISO 26262 ASIL D the highest safety level for automotive and autonomous ground vehicles. Both standards cover software functional safety, so there is about a 75-80% overlap between the two specifications.
In a variety of ways, autonomy of course changes everything. For decades, the DO-178 standard was considered the ultimate software safety standard, while aircraft manufacturers effectively paved the way for creating certification evidence that could also be applied to a wide range of other industries. The emergence of autonomous vehicles, especially ground vehicles and automobiles, is currently driving massive investments in highly intelligent hardware and software platforms, which in turn need to be coupled with safety certification evidence to help ensure a return on that investment.
And today, that evidence is still predominantly ISO 26262, rather than DO-178C. This trend is accelerating too, due to the millions of new automobiles being designed and manufactured every year with a steadily increasing array of autonomous capabilities. By contrast, the aircraft industry simply cannot compete with that type of volume, which is roughly 1,000 times greater than the typical volume of aircraft production per year.
It would be financially impossible to rewrite this massive ISO 26262 hardware and software investment within a DO-178C context. So, the avionics industry is going to have to adapt and figure out how to leverage the certification artifacts of ISO 26262 certification programs when certifying systems using DO-178C.
I apologize for a bit of a long introduction on a range of subjects, but I wanted to make sure I put the significance of BlackBerry QNX achieving FACE conformance in its proper context.
- ARINC 653 evolved from the avionics industry
- POSIX evolved from the communications industry
- The FACE OSS uses both ARINC 653 and POSIX
- ARINC 653 suppliers use RTCA DO-178C as the safety certification standard
- QNX, with its POSIX RTOS, uses ISO 26262 as the safety certification standard, supported by a large automotive and industrial customer base
- Future autonomous systems will span ground, air, sea and space operations
This is Different in a Very Good Way
POSIX was never designed to be certified in avionics software, but its utility as a powerful communications foundation has driven a range of avionics (and FACE) suppliers to support mission and other non-flight-control systems with this standard. These avionics suppliers can now build even more powerful critical systems using a wider range of POSIX capabilities. In addition, instead of inventing and investing in every single safety artifact required for DO-178C certification, avionics certification engineers can now leverage the massive investment in ISO 26262 platforms to accelerate the deployment of more powerful certified avionics systems.
In summary, the achievement of FACE conformance certification by BlackBerry QNX paves the way to creating more powerful, more efficient and safer FACE systems with an accelerated time- to-deployment advantage. BlackBerry’s QNX Product Manager commented:
“BlackBerry QNX foundational software provides developers with certified software solutions for the increasingly intelligent edge, which includes aerospace and defense systems. Our software is designed for mission critical systems that rely on safety, security, reliability, and standards conformance, and allows developers to focus on delivering mission critical software,”
–Louay Abdelkader, QNX Product Manager, BlackBerry
QNX and RTI already have a strong track record of delivering joint ISO 26262 certification solutions for the automotive/autonomous vehicle market segment based on QNX foundational software and the RTI Connext® software connectivity framework. Connext has certified FACE conformance, commercial RTCA DO-178C DAL A certification evidence, and ISO 26262 ASIL D certification. Going forward, these industry and safety credentials will enable both companies to expand their ground-based success into standards-based airborne systems that can be both rapidly deployed and achieve airworthiness certification.
Congratulations to BlackBerry QNX on this groundbreaking achievement! To read other installments in the RTI Military Avionics Blog Series, please click here.
About the author
Chip Downing is Senior Market Development Director, Aerospace & Defense, Real-Time Innovations, Inc.
Chair, FACE Business Working Group Outreach Subcommittee
Vice-President, Ecosystem, DDS Foundation