Making Aerospace and Defense Mixed-Criticality Systems Secure and Safe

Mission systems for aerospace and defense (A&D) must deliver ever-increasing capabilities on edge-ready hardware that operates within strict space, weight, and power (SWaP) constraints. To achieve this goal, functions that once required dedicated hardware are consolidating onto shared high-performance compute platforms.

That means software applications of varying safety criticality need to operate side by side. A thoughtful approach to mixed criticality is necessary to ensure that they can run safely, securely, and in isolation from one another. 

This architectural imperative is growing more urgent, particularly on aircraft platforms. Manned/unmanned teaming, vertical take-off and landing (VTOL), electric vertical take-off and landing (eVTOL), and the U.S. Army’s Component Common Architecture (CCA) rely heavily on software consolidation. 

As developers have understood for decades, security must be part of every phase of the development lifecycle (SDLC), treating it as a core requirement rather than an afterthought. An architectural foundation should make safety and security inherent to the platform and sustainable over long operational lifecycles.

In practice, while software may differ in safety criticality, any component can become an attack path or failure trigger. Everything is important for each mission. 

Mixed Criticality Changes the Safety Equation

A real-time control function, a mission application, and a noncritical user interface might all share processing resources. This consolidation reduces SWaP demands and it can lower development and operational costs.

However, the consolidation also changes how software and hardware architects manage safety. Functions, especially safety-critical functions, must behave predictably, no matter what other software runs alongside them.

This challenge is well established in safety and airworthiness guidance. Integrated modular avionics (IMA) concepts emphasize strict separation between functions so that faults, delays, or unexpected behavior in one application do not affect others. 

Mixed criticality is a major focus for both military and civilian aircraft. In the U.S., Federal Aviation Administration guidance on software assurance and IMA reinforces partitioning as a core mechanism for maintaining independence between functions. This approach is central to systems designed to meet DO-178C and DO-297 objectives for airborne software. Additionally, while reusable software components can speed new system development, aircraft systems built using this methodology must comply with the FAA’s AC 20-148 advisory, which the U.S. Army Aviation Authority also adopted. 

Start with the Architecture

The system architecture should enforce isolation by design. Fault containment requires software and hardware architects to partition operations on a shared compute platform. 

Two principles are essential. 

The first is resource control, via a real-time operating system (RTOS) that runs in a virtual machine on a hypervisor. Safety-critical workloads must run precisely as intended, without disruption from other software on the system. Ensuring that each partition has unimpeded access to processing, memory, and I/O resources can keep critical functions stable and predictable even when noncritical software changes. This translates into stronger safety assurance to prevent surprises during testing, certification, and operations.

The second principle is non-propagation of errors. Architectures strengthen safety cases and simplify long-term sustainment by preventing a failure from cascading across partitions. Strong isolation also limits the impact of cyber events on safety-critical behavior, reflecting global safety and security guidance, including NIST Special Publication 800-160 in the U.S. and international standards such as IEC 62443. These guidelines treat safety, security, and system resilience as interdependent challenges.

Treat Virtualization as a Safety Enabler

Virtualization is a key mechanism for implementing mixed-criticality architectures, but only when it meets functional safety and determinism needs. A safety-oriented hypervisor can host multiple operating systems and workloads on shared multi-core hardware and also enforce strict isolation and predictable scheduling.

Virtualization puts significantly greater demands on system functions, and it requires vastly more computing power. Virtualization can support both consolidation and assurance as long as the system runs on modern processors and engineers carefully control resource use and scheduling. The result is greater design flexibility without sacrificing predictability of behavior.

Design for Certification, Not Around It

In safety-critical A&D programs, certification is a significant driver of cost and schedule risk. In mixed-criticality systems, architecture plays a significant role in whether certification is a bottleneck or a manageable process.

Architectures built around clear partition boundaries enable a modular certification strategy. Instead of certifying entire systems as monolithic entities, project teams can rely on prequalified foundational components. Project managers can use vendor-provided, independently validated certification evidence as part of a broader system certification effort. The team can focus certification efforts on the applications and integrations they control, rather than worry about recertifying the underlying platform.

Manage Safety and Security Over Long Lifecycles

Mixed-criticality systems are rarely static. Missions change, threats emerge, and new capabilities are introduced. Everyone needs confidence that changes can be made without destabilizing the system.

Modular partitioning allows updates to be isolated and verified independently. Simulation and digital twin approaches enable teams to assess timing behavior, fault scenarios, and integration risk early in the development lifecycle. Government programs are using this approach to reduce downstream integration and certification risk.

Automation also plays a critical role. Secure CI/CD pipelines help ensure that updates to non–safety-critical software do not introduce unintended effects.

A Balanced Path Forward

Achieving security and safety management for mixed-criticality systems is not a choice between flexibility and assurance. Both depend on strong architectural foundations.

Organizations can consolidate compute resources and also maintain confidence in safety and security outcomes by designing systems around deterministic partitioning, safety-oriented virtualization, and certification-aware components. This approach reduces risk, supports long lifecycles, and enables controlled evolution as missions and requirements change.

In an environment in which complexity continues to grow, the right architecture turns mixed criticality from a source of uncertainty into a platform for sustained mission success.

Wind River has deep expertise with mixed-criticality systems in aerospace and defense. Consult our detailed explanations for how Wind River supports mixed-criticality systems at the intelligent edge with safety-certifiable platforms designed for consolidation, isolation, and long-term assurance.