Introducing SCHEME

Rolls-Royce has assembled a world-class consortium of UK industry and academia to develop the next generation of microprocessors for use in aerospace and other harsh environments.

The next generation of aircraft, designed to meet net-zero targets, will require more complex, intelligent, autonomous, and connected systems, and at the heart of those software-enabled systems is the need for a cyber-secure, high-integrity processor.

Microprocessor design and manufacture is complex, and typically, commercial off-the-shelf automotive and general-purpose microprocessors are repurposed for aerospace. That approach has issues of obsolescence, complexity, and design trade-offs with long-term cost implications. Recent experience in the automotive industry has also demonstrated how the supply chain for off-the-shelf components can be significantly and adversely affected by global events such as COVID.

Project SCHEME (Safety-Critical Harsh Environment Micro-processing Evolution) will develop a new generation of UK-native, safety-critical, and cyber-secure microprocessors. Developing a bespoke processor reduces design and through-life costs, ensures the security of supply, and provides protection from the global issues that face the semiconductor industry.

The project will initially develop a control processor suitable for high-integrity control and monitoring. A manufacturing and support solution that provides better obsolescence protection than is available from off-the-shelf devices will be developed. It will also provide an associated electronics, security, and software tooling infrastructure to enable the UK to strengthen its position in high-integrity avionics design and manufacturing.

This project will build the UK's national resilience in this area and make the processor available not only to aerospace but also in other areas where systems operate in harsh environments. SCHEME will engage with the wider community to identify and pursue exploitation opportunities, including supporting potential adopters with microprocessor trials. The project will put the UK in a position to design and build the low-carbon, intelligent systems that will be critical to society in the future. Furthermore, the consortium has the potential to provide a complete packaged solution for high-integrity systems development to many potential customers, both within and outside the UK.

The £37.5m investment program is co-funded by the ATI Programme, which funds civil aerospace research in the UK and which is delivered in partnership by the Aerospace Technology Institute, the Department for Business & Trade and Innovate UK. Rolls-Royce is joined by AdaCore, TT Electronics, Volant Autonomy, Rapita Systems, The Manufacturing Technology Centre, Queen's University Belfast, University of Bristol, University of Sheffield, and University of York.

AdaCore and SCHEME

The SCHEME project will deliver a reliable safety-critical, high-integrity, cyber-secure microprocessor solution free from the issues related to the use of commercial off-the-shelf processing units. A vital component of that solution is the supporting software tool infrastructure. Such tooling requires adopting and extending existing toolchains with bleeding-edge state-of-the-art techniques to meet the multidimensional requirements of the proposed cutting-edge microprocessor.

The SCHEME project is well aligned with AdaCore's commitment and proven track record of being a trustworthy software tool vendor for developing high-integrity applications. Therefore, the AdaCore UK R&D Centre of Excellence is uniquely positioned to produce software development and verification tooling that enables reduced cost and delivery time for safety-critical and cyber-secure applications. Such solutions will cover validation and verification processes, generating certification evidence, and software cyber-security hardening. These SCHEME-developed technologies will be integrated within a modern development environment supporting state-of-the-art practices, such as cutting-edge DevOps. To this extent, the UK AdaCore team will significantly contribute to establishing a trustworthy software ecosystem required for the commercial success of the processor.

AdaCore's technical involvement in the project is within four out of five SCHEME's technical work packages and also in leading the "Cyber-Security Mechanisms" work package. AdaCore's SCHEME goals can be summarized under three main themes:

The first theme aims to deliver a "GNAT Open-Source High-Integrity Cross Compiler Toolchain" for SCHEME's microprocessor. One of the major requirements for the new microprocessor is to meet today's needs for processing power alongside security concerns. The compiler toolchain has a significant role in achieving the cyber-secure, high-integrity requirements and the targeted performance set for the new microprocessor. AdaCore will research and deliver compiler-enabled performance optimizations and safety and security properties. This will result in a custom, open-source, cross-compiler toolchain for high-integrity software programming languages. The toolchain will be able to deliver secure code with the required performance and the means to a cost-effective verification process.

The second theme aims to deliver an "Open Source Safety-Critical and Security-Oriented Development Environment" that supports the latest trends in software development and is tailored to the needs of the targeted application space of the new microprocessor. This will integrate the newly created SCHEME technologies to make them easily accessible to the user. It will be designed to work with modern development paradigms and DevOps practices, such as containerized and secure Web-based development, and continuous integration/continuous delivery workflows. Enhanced reproducibility, support for Software Bill of Materials generation, and mechanisms to ensure the Software Supply Chain integrity are some of the new features to be supported within this workstream. Therefore, the delivered development environment will ease the production of high-integrity, cyber-secure applications and significantly boost the developer's productivity, translating to significant delivery time and cost reductions.

The last theme aims to deliver an "Open-Source Software toolchain for Static and Dynamic Verification." Testing practices for verification and certification purposes are still heavily manual and expensive. AdaCore has been experimenting and developing bleeding-edge dynamic testing techniques, such as fuzz-testing, which are demonstrated to detect source-code crashes automatically and increase code coverage. Building on this, we will update and extend our open-source verification toolchain with state-of-the-art verification and cyber-security practices to enable cost-effective and fast production of high-integrity and cyber-secure applications. To this extent, new technologies such as symbolic execution, processor emulation, and code smell detection will be developed, while our existing solutions will be extended to become cross-platform and multiple-operating systems capable. Furthermore, deep integration of the new and existing AdaCore complementary technologies, such as the GNATfuzz with GNATtest and GNATcoverage, will significantly increase the tool-suite verification and security capabilities.

Finally, AdaCore is leading the exploitation activities of SCHEME. An influential User Group that covers a large part of the targeted application space for SCHEME's high-integrity processing platform has been established. This group will be engaged in all the project's activities, ensuring the industry's needs are being met.