Choosing the optimal software solution for long-life unmanned systems

2Defense platforms are expected to perform over a long operational life that can span several decades. Developing high-reliability, safety-critical software that is built to last requires comprehensive tools from trusted industry partners. Robust software-development solutions can help engineers design and develop new long-life unmanned systems and can enable upgrade of systems on currently fielded unmanned platforms to extend their life cycle.

Defense and aerospace platforms have always been “built to last” but, in this day and age, all manner of such vehicles – land, sea, air, and space – are expected to perform over a long operational life that can span several decades. The Boeing B-52 Stratofortress military aircraft, for example, has been in service with the U.S. Air Force for more than half a century since its first flight in 1952. Boeing stopped producing the subsonic, jet-powered bomber in 1962, but upgrades performed in 2013 and 2015 are expected to extend the B-52’s useful life through 2045 or 2050.

The time- and cost-intensive process of designing, developing, manufacturing, testing, and certifying new platforms is often avoided for as long as possible. Attention is, therefore, focused on ensuring systems – both in development and already deployed – are capable of operating over an extended service life.

Unmanned vehicles – including unmanned aircraft systems (UAS), unmanned ground vehicles (UGVs), and unmanned underwater vehicles (UUVs) – are now being held to the same longevity standard as their manned counterparts. NASA’s Voyager 1 and 2 unmanned spacecraft are still operating, exploring, and communicating daily a full 40 years after being launched into the harsh, radiation-rich space environment in 1977. Unmanned vehicles back on Earth suffer a different fate.

Unmanned expiration

Two early UAS platforms important to the U.S. military are now nearing two decades of service – the RQ-5 Hunter from Israel Aerospace Industries (IAI) and Northrop Grumman and the General Atomics . The RQ-5, having entered service in 1995, flew its final flight with the U.S. Army in 2015, but defense contractors are said to be operating retired units overseas.

The MQ-1, a workhorse for the past 20 years, will retire from service with the U.S. Air Force in 2018. The retirement was originally scheduled for the 2015-2017 timeframe, but was postponed because its surveillance skills were needed in the Middle East. (Figure 1.)

21
Figure 1: The MQ-1 Predator has been a workhorse UAS for the U.S. military for more than 20 years. Photo courtesy U.S. Air Force.

Software and hardware engineers have updated the MQ-1 several times to extend its useful life and add to its capabilities to keep pace with military mission needs and requirements. Strictly a surveillance drone when first introduced in 1995, the MQ-9 Reaper – also made by General Atomics – has since evolved into an armed airborne weapon via software and hardware upgrades.

Government and military leaders have expressed the desire to get more out of the MQ-1 platform, but they recognize it is no longer feasible from a software and hardware perspective. Upon retirement, these UASs are expected to be stripped of their usable components and then populate an aircraft boneyard. Its software DNA will continue on in successor unmanned vehicles, however, and the lessons learned are helping to formulate best practices for engineering flexible, capable, long-life .

Software scrutiny

Software is an essential piece of the long-life puzzle, as militaries endeavor to extend both the capabilities and the life span of unmanned platforms. The software development environment, programming language, and verification/test/analysis tools are all critical components to ensure that unmanned systems keep pace with the changing threat environment, evolving certification and mission requirements, and user needs over a long operational life.

Robust software solutions can help engineers design and develop new long-life unmanned systems, as well as upgrade systems on currently fielded or retrofitted unmanned platforms to extend their life cycle. The service life of software code far exceeds that of the unmanned vehicles themselves. Long after a military vehicle has been retired, its software code can continue to lay the foundation for and be put to use in subsequent platforms – as is the case with the MQ-1 Predator. Choosing the optimal software tools is therefore critical, but it need not be challenging, particularly if several considerations are top of mind in the selection process.

Software development and verification tool considerations for long-life unmanned systems include:

  • scalability to accommodate incremental software/hardware updates that can handle additional capabilities, multimission payloads, changing certification requirements, and new threats;
  • regular updates to remain relevant, keep pace with user needs and industry/application demands, and improve efficiency and productivity;
  • a successful track record in the field on past high-assurance programs; and
  • comprehensive functionality including a complete software development suite and integrated development environment (IDE) offering such elements as a compiler, debugger, static analysis and testing tools, and support for model-based development and formal methods.

Flexible development

Long-life unmanned systems must stay current and relevant. As mission requirements change, their features and functionality must change as well. Military leaders – with their focus on preparedness – must field flexible, multimission systems capable of meeting current and future needs. The software development environment and toolset should help ensure that unmanned systems can keep pace with continuously evolving battlespace environments.

Modularity and scalability are key attributes in virtually all software and hardware solutions today. End users, program managers, and engineers alike prize a system’s ability to accommodate incremental updates to grow capabilities, change payloads, fix issues, address security vulnerabilities, and integrate the latest technology innovations – all in the name of extending usability over a long life.

Unmanned system designs can save development time and money by reusing ­specific functionalities, enabled by software code, from a predecessor vehicle. The software development environment should help to preserve and protect this already substantial investment in the software while maintaining the flexibility and scalability that is required for current and future growth. Language features can help here (for example, an object-oriented approach in which new components can be added as extensions of existing components without the need to modify or even recompile the old code). Tools support is also useful, such as browsers and code-analysis tools.

New and old

Blending legacy systems with new ones new always presents a bit of a challenge, but the right software development processes and tools can help.

One issue: The legacy code may have latent bugs or vulnerabilities that could be triggered when new functionality is added or the operational environment is changed. For example, an application originally assumed to be standalone, designed years ago when security was less of a concern, might now be remotely accessible and thus a potential target by adversaries. A static analysis tool that detects potential issues is a worthwhile investment; for example, a static analysis tool could flag constructs that exhibit weaknesses from the Common Weakness Enumeration (CWE).

Real-world software is written in multiple languages: It could be in Ada for safety-critical components, C for low-level routines, and Java or C++ for user interfaces. The software development environment should enable seamless interoperability of components in multiple languages, with checks where possible and practical at component interfaces.

System upgrades often entail a change of target platform. The code should be written to ease portability, and the language(s) in which the legacy software is written can affect the ease or difficulty of this process. As one example, Ada includes standard support for concurrency (tasking), so user code can be written portably instead of accessing an operating system’s thread services directly.

Interactions between new and existing components can have implications for safety and viability, but the software development environment can help detect and avoid such unwelcome side effects and incompatibility issues. Effective verification, testing, and static analysis tools can streamline upgrades by helping to discover and eliminate inaccurate properties, validate and retain desired properties, determine obsolete properties intentionally invalidated by the upgrade, and verify updated properties. The tools and processes should scale well and integrate new components as software and systems grow in both size and complexity over time.

Dealing with obsolescence

Software can have several causes, including hardware incompatibility or a vendor that stops supporting or advancing its product. To help combat obsolescence issues and better future-proof unmanned systems, development teams should invest in software tools backed by a longtime industry partner with a global community of users, all dedicated to the continued use and enhancement of the software language, development framework, and toolset. If a vendor does not support recent versions of the language(s) used on the project, then that could be a warning sign that their long-term commitment is questionable.

To facilitate future-proof software development, the programming language(s) used should have a long and proven track record of successful usage while also showing steady and controlled evolution – i.e., stability/compatibility but not stagnation. Moreover, the compiler should likewise have a strong history of successful usage and receive periodic upgrades in functionality and code quality.

In the event that a specific embedded electronics component, such as the processor, is upgraded, becomes outdated, or is no longer supported, expensive ports or rewrites can be avoided with the help of open, portable, interoperable software solutions. To facilitate change, the software development framework, including the programming language, should be portable across a range of hardware options, including cutting-edge and specialized embedded processors. An open, modular, scalable, and comprehensive development platform aids, rather than impedes, hardware/software integration and interoperability.

Long legacy

Past experience is often the greatest predictor of future behavior, so it is advantageous to select software solutions that have performed well and reliably over the long haul.

Designers working on UAS projects should invest in languages and tools specifically designed for and used in safety- and mission-critical applications that demand high integrity and assurance. It is useful to seek out software development and verification tools success­fully adopted by industry leaders on high-profile, complex, and perhaps even similar projects within defense, aerospace, and other markets that put a premium on safety and reliability.

A software development framework is only as strong as the provider that stands behind it, so look for a trusted industry partner with a long legacy of producing, supporting, and enhancing robust, capable, full-featured tools.

Software development and verification tools, as well as programming languages that are continuously enhanced and supported are generally more future-proof.

Whole package

The quality and effectiveness of the software development environment and toolset can have a profound effect on the resulting software and, in turn, influence the unmanned system as a whole. A holistic approach to unmanned vehicle development demands a power­ful, intuitive integrated development environment (IDE) that supports the full development workflow, from design and coding to system integration, testing, debugging, and code analysis.

Software issues can cause significant delays in production schedules, resulting in extensive and unwanted downtime in deployed environments. It is imperative – to the program schedule as well as the software quality – to find errors early in the development cycle when they are least expensive to correct. For the most critical components, the assurance achieved by formal methods – mathematics-­based confidence that par-ticular program properties (such as absence of runtime errors) have been met – can be well worth the investment.

Language and tool technology is available that can help unmanned system developers address these challenges. One example is the Ada language and its associated tool support. Ada provides extensive checks that help detect bugs even before the program is run, concurrency features that map efficiently to modern real-time operating systems (RTOS) and target hardware, full object-oriented programming functionality, and multilanguage interoperability.

Ada has evolved since its inception to reflect user experience and requirements and technological trends. The current version of the standard – Ada 2012 – includes support for contract-based programming (pre- and post-­conditions), which facilitates verification and in effect embeds requirements in the source code where they can be checked either statically or dynamically. Ada is currently fielded on a wide range of modern defense platforms and devices, including on land, at sea, and in air and space.

Supporting the Ada language are a variety of tools and development environments that have been used to produce software at the highest levels of safety criticality (Design Assurance Level A in DO-178B/C). Two such tools are offered by AdaCore: the GNAT Pro development environment, which has an edition that is especially amenable to long-lived systems that need to continue with a specific maintained branch of the technology; and the CodePeer static analysis tool that can find vulnerabilities in new or existing code (including the detection of a variety of weaknesses in the CWE).

Jeremy VanDomelen is an engineer turned consultant and writer with a degree in information systems. He holds many certifications in varying facets of computer software, hardware, and network design and implementation and has 20 years of experience designing, developing, and supporting advanced safety- and mission-critical systems and software.

Benjamin M. Brosgol is a member of the senior technical staff at AdaCore. He has been involved with programming language design and implementation throughout his career, concentrating on languages and technologies for high-integrity real-time systems. Dr. Brosgol holds Master of Science and Ph.D. degrees in applied mathematics. Readers may reach him at ben.brosgol@adacore.com.

Adacore www.adacore.com