Military Embedded Systems

Safety-certifiable COTS lowers the cost of keeping the skies safe


March 12, 2024

Gregory Sikkens


Curtiss-Wright image

Every day, at peak operational times in the U.S., the Federal Aviation Administration (FAA) Air Traffic Organization (ATO) handles approximately 5,400 aircraft flying in 29 million square miles of controlled airspace. When the growing number of uncrewed air systems (UASs) and other commercial and military uncrewed aircraft are also considered, the total number of aircraft flying daily over U.S. airspace significantly increases.

The critical systems responsible for an aircraft’s safe flight are subject to stringent safety regulations. Adherence to these regulations must be proven before an aircraft is deemed airworthy. The level of danger posed by an aircraft system in the event of a failure and the associated acceptable probability of failure dictate the Design Assurance Level (DAL) that system must meet to be certified for flight. For example, flight-critical systems whose failure would result in catastrophic loss of life – the highest level of danger – must meet DAL A to demonstrate a probability of failure lower than one in one billionth (10-9) per flight hour.

To ensure that UASs are equipped to fly without an onboard pilot, two TSOs [technical standard orders] have been released specifically for unmanned aircraft. TSO-C212, in accordance with DO-366 (UAS Air-to-Air Radar), provides standards for the UAS’s scanning radar that serves to detect other aircraft while in flight. The complementary TSO-C211 invokes DO-365 (UAS Detect and Avoid Systems) and outlines requirements for an onboard system capable of computing an avoidance maneuver should an intruder enter the UAS’s flight path. All UASs weighing more than 55 pounds, flying in controlled airspace above 400 feet and out of view of their operators, should meet DO-365 objectives and obtain TSO-211 authorization.

For larger UASs, there is a separate set of DALs and failure probabilities they must adhere to based on their kinetic energy at ground impact. The calculations behind these DALs are detailed in TSO-C213 (Unmanned Aircraft Systems Control and Non-Payload Communications Terrestrial Link System Radios).

Ultimately, the flight certification for an aircraft is authorized by the aviation authority in that aircraft’s country of origin, whether it’s the FAA, the European Aviation Safety Agency (EASA), or Transport Canada. Because multilateral agreements exist between many certification agencies, after an avionics system has been successfully safety-certified in one country, that certification is usually recognized as valid in numerous other countries (pending the completion of some additional paperwork).

To meet safety-certification requirements, system designers must provide data showing evidence of objectives identified by a means of compliance; this data is referred to as artifacts. Hardware and software components can be purchased from vendors who have experience and expertise in safety-certifiable COTS [commercial off-the-shelf] parts as an alternative to undertaking the rigorous, costly, and time-consuming process required to develop a custom safety-certifiable module from the ground up. Safety-certifiable COTS products are delivered with the full set of artifacts demonstrating certifiability to the objectives identified by a means of compliance, resulting in a significant reduction in the time and cost of certifying the complete system.

Military aircraft systems are often built using COTS modules. The reliability of COTS devices usually falls in the range needed to meet the far less stringent DAL C rating, suitable for systems whose failure would result in discomfort or injuries to the occupants, but not loss of life or loss of the aircraft. To meet DAL-C, a system must be designed to have <1 failure in 10-5/flight hour, far short of the 10-9 required failure probability for DAL A.

For this reason, when COTS devices are used, redundancy is needed to meet the probability of equipment failure. The use of a dissimilar redundant architecture mitigates common mode failures and meets DAL A requirements. By running different operating systems and applications on dissimilar hardware, system designers can add an extra layer of protection against latent software defects that would impact the different hardware architectures in similar ways.

To help system designers build redundant architectures with a lower risk of common mode failure, Curtiss-Wright offers a family of safety-certifiable COTS modules that include processors powered by NXP Power Architecture and Arm processors.

For example, the V3-1708, a SOSA Tech­nical Standard aligned, DAL A safety-certifiable processor features an NXP Layerscape LX2160A processor and supports Wind River’s VxWorks HVP safety-certifiable profile with a VxWorks 7 safety-certifiable profile guest operating system. It uses a rugged COTS single-board computer developed using AC/AMC 20-152A as a means of compliance – combined with off-the-shelf data kits for DO-254 and FMEA [failure mode and effects analysis] to support system architecture, Functional Failure Path (FFP) analysis, and certification.

Gregory Sikkens is Senior Product Manager, Curtiss-Wright Defense Solutions.

Curtiss-Wright Defense Solutions

Featured Companies


20130 Lakeview Center Plaza
Ashburn, Virginia 20147