Embedded systems are ubiquitously employed in electronic and electromechanical devices to provide one or a few specific functionalities. For example, military and commercial aircraft frequently utilize advanced avionics containing embedded systems such as inertial guidance systems, mission computers, GPS receivers, displays, etc. Each of these target embedded systems may have integrated operational software executing thereon to provide the desired specific functionalities for which the target system was designed. If the operational software is executing on a safety critical target system, such as an automatic flight guidance system, the software must be certified to ensure that operation of the target system meets rigorous legally-mandated safety standards.
As new software is developed or new data becomes available, the integrated operational software loaded on a target system may be updated to provide additional functionality afforded by the new software and/or data. This is typically accomplished by using a set of maintenance features embodied as a target-resident loader application built into the target system (e.g., residing in non-volatile memory on the system), such that execution of these maintenance features allows for software updates to proceed.
In some instances, the BIOS/OS of a target system may be modified to provide dual-boot capabilities to the system so that the target may optionally boot into a standard mode in which its operation software normally operates or a “maintenance” mode in which updates to the software may be performed by a target-resident loader application. Alternatively, maintenance functionality may be directly integrated into the operational software such that updated software and/or data may be provided to the target system when indicated through a user interaction with the target system. Regardless of the method used to provide the software data loader application to the target system, processes associated with the data loader application must be subjected to the same rigorous safety standards as the operational software itself, due to the software data loader application and the operational software being co-resident in non-volatile memory on the target hardware. Without such safety verification, the impact of the software data loader application on the execution of the safety critical operational software is unknown, and therefore not acceptable.