_______________

Having built both separation kernels and real-time operating systems—and supported customers using both across a wide range of industries—we are familiar with the pros and cons of each software technology, as well as their security, safety, reliability, and adaptability impact on complex system designs. Yet despite providing strong security and safety benefits and being the foundation of some of the world’s largest mission-critical systems, separation kernels remain largely unknown and poorly understood. In this article, we hope to:

1. Bring some clarity to the topic of separation kernels vs. real-time operating systems (RTOSes) and embedded hypervisors
2. Discuss the benefits and drawbacks of using a separation kernel as the software foundation of your embedded systems design
3. Introduce LynxSecure^®, our own separation kernel

_______________

_______________

I hadn't heard of "bottom up" avionics certification before I read FAA's TC-16/51.  But now, looking back at it, I think the authors from Thales Avionics, including Xavier Jean, PhD, proposed a big change in perspective.  In their own words, here's their proposal to add "bottom up" analysis to aircraft safety certifications on Multi-Core Processors (MCP):

_______________

Linux is ubiquitous. It runs most internet servers, inside Android* smartphones, and is used on millions of embedded systems that, in the past, ran Real-Time Operating Systems (RTOSes). Linux can (and should) be used were possible for embedded projects, but while it gives you extreme choice, it also presents the risk of extreme complexity.

_______________

The most formidable challenges of modern avionics development programs are often centered around the safety certification process and the corresponding requirements and costs. Equally as challenging to any large development program are the design and implementation phases where the software application comes to life as it is realized on the target system environment. These phases can be compromised by:

_______________

Overarching Properties—an alternative design assurance approach to DO-178C—marks the biggest change in airborne software safety certification since DO-178B was unveiled in 1992. Intended to be more efficient and flexible than DO-178C, the approach was introduced as DO-178C and the Overarching Properties Initiative during FAA Chief Scientist George Romanski’s keynote address at the High Integrity Software Conference in Bristol, United Kingdom (UK).

_______________

Lynx Software Technologies has built and supported real-time operating systems (RTOSes) since 1988. We have witnessed hardware and embedded software technologies evolve and have supported our customers through the design, development, integration, certification, deployment, and support of software systems across mission-critical applications in avionics, industrial, automotive, medical, and other markets.

_______________

Do Real-Time Operating Systems (RTOSes) consistently provide the most effective platform for realizing your embedded software system design?  Most RTOS vendors seem to think so, frequently citing RTOS benefits while rarely discussing the disadvantages.  Too often, the question "Do You Need an RTOS?" is interpreted, "Which RTOS Do You Need?"

_______________

Lynx participated in this year’s Arm TechCon with a booth in the expo hall, where we demoed Lynx MOSA.ic and its components — LynxSecure^®, Buildroot Linux, LynxOS-178^®, and Lynx Simple Applications (which are bare-metal apps).  It was great to see people walk down the hallways and stop in the aisle to examine the Automotive demo and Industrial demos.

The concepts behind the demos apply across multiple industries and use cases; we simply chose to highlight these concepts in the context of these two markets for the purpose of putting together the demos.  For more information on the Automotive demo, you can read Chris Barlow's blog post.  Below you can see a close-up of the architectural graphic shown on the notebook’s screen:

_______________

Choosing an RTOS is not as simple as choosing a car.  We know about cars; we know their strengths and weaknesses and we intuitively understand compromises like performance vs practicality or luxury vs price.  We see all kinds of vehicles on the road, so the range of available cars is obvious. When choosing an RTOS, the middle ground is crowded—dozens of general-purpose RTOSes with broadly similar characteristics compete.  They all have a scheduler, services, libraries, middleware, technical support, and graphical tools. Any one of them could genuinely do a good job and so choosing between them is a mixture of quantitative metrics (like features and price) and qualitative measures (like past-experience, personal-preference, and reputation). 

_______________

In POSIX, an executing instance of a program is called a process.  To be conformant with the POSIX standard, processes must be kept separate through the use of memory protection.  An operating system (OS) that supports multiple processes is referred to as a “multiprocessing” OS.

_______________

The complexity of today’s automobiles is increasing with every new model on the market.  A modern car can contain hundreds of electronic control units and with connectivity and autonomy becoming commonplace, this is increasing dramatically as we enter the 2020s.  Many of these systems up until a few years ago have safely run on microcontrollers on an unsecured vehicle network, and this has been fine; the networks were ‘air-gapped’ from the rest of the world, and the risk of a malicious attacker causing any kind of danger to a car’s occupants by directly plugging in a new device was as likely as someone cutting the brake lines.  The automotive industry on the whole were happy with this risk.

_______________

_______________

This week saw LYNX’s cache partitioning feature for Lynx MOSA.ic™ demonstrated for the first time at the Collins Aerospace Embedded Computing Conference in Cedar Rapids, Iowa. Cache partitioning is a new feature of Lynx MOSA.ic™ released in September 2019 and based on Intel’s Cache Allocation Technology (CAT) CPU hardware feature.

_______________

_______________

Last week I was able to spend several days at the Open Group Future Airborne Capability Environment (FACE™) Technical Interchange Meeting (TIM) and consortium meetings.  For those who are not familiar with either the Open Group or FACE™, the Open Group is a global consortium of hundreds of tool vendors, systems integrators, academics, researchers, and consultants aimed at developing open, vendor-neutral technology standards and certifications for various industries, including Defense & Aerospace.

_______________

_______________

A DO-178B/C Reusable Software Component (RSC) is a software collection that is recognized as meeting the requirements of RTCA/DO-178B/C and that may be used on more than one project without having to regenerate certification artifacts.

The FAA grants RSC acceptance as part of a normal certification process, provided that the applicant complies with the guidance policy defined in FAA Advisory Circular AC 20-148. The acceptance allows future users of the DO-178B/C RSC to deploy the software without the added cost and risk of re-certification. This applies to components such as operating systems and networking protocols, that can then be reused (in unadulterated form) across hardware platforms. 

Why is a Reusable Software Component Important?

All software developers reuse what they create. But compliance with DO-178B/C makes reuse difficult because it often requires expensive re-certification efforts. Until now, there was no standard approach to reuse of safety-critical software.

Is It Just a Set of Artifacts?

The LynxOS-178^® RSC is more than just a set of DO-178B/C artifacts. In fact the RSC follows the guidance of AC 20-148 by addressing the most difficult and critical areas of certification: integration with multiple applications at various levels of DO-178B/C criticality. The documentation set includes a detailed partitioning and interface analysis that focuses on time, space and resource partitioning as well as timing margin analysis so developers can allocate budgets to use of operating system services. The set of RSC guidance documentation includes requirements, design data, test suites and coverage analysis to meet DO-178B/C requirements.

LynxOS-178 RSC for DO-178B/C Certification

The LynxOS-178 RTOS is the first and only time and space-partitioned, FAA-accepted RSC. LynxOS-178 offers the interoperability benefits of POSIX^® along with support for the ARINC 653 APplication EXecutive (APEX). The LynxOS-178 RSC is designed to be hardware-agnostic, so no changes are required to move the RSC onto other hardware platforms. The LynxOS-178 RSC acceptance applies to a family of PowerPC^® processors, including the PPC 75x, 74xx. 4xx, 603 and IBM 970.

Economic Benefits of the RSC for Embedded Projects

The economic value of an RSC lies in its ability to do three things:

1. Reduce engineering labor
2. Reduce program risk
3. Reduce cost

When an RSC is properly verified using the foresight of future use, then it is possible to perform verification to most DO-178B/C objectives and not have to revisit these activities if the RSC is not modified in future projects. The LynxOS-178 RSC provides integrators with guidance on how to integrate the RSC into applications and retain certification credit for the RSC.

More importantly, the LynxOS-178 RSC artifacts provide “educational value” to the integrator that reduces engineering labor. This educational value is provided in the form of written guidance and tests that help the integrator assimilate their applications on top of the LynxOS-178 RSC in a timely manner.

This educational value of the LynxOS-178 RSC artifacts provides integrators with a savings of 3-6 months of engineering labor over conventional DO-178B/C artifacts. This learning economy can be consistently applied in future projects. The LynxOS-178 RSC also reduces program risk by focusing certification audits where they should be focused: on the DO-178B/C objectives that remain to be satisfied and the integration of the component into an application.

With a standard set of DO-178B/C artifacts, a certification auditor can examine any part of the artifacts, even those areas that have been examined by someone else. On many occasions, developers who envision low risk with submission of standard DO-178B/C artifacts have found themselves the subject of auditors’ qualitative interpretations that result in added explanations, action items and even additional verification work resulting in a prolonged project schedule.  An auditor’s job is to scrutinize results closely and aggressively find weaknesses in the verification process. Very often it’s impossible to get through an audit the first time, even if the software has been approved before.

The RSC concept avoids this dilemma by focusing the engineering and auditing effort on software integration, not previously verified operating system functions such as message queues.

Lynx Software Technologies’ LynxOS-178 RSC acceptance can provide integrators with a savings of 6-9 months of schedule risk over conventional DO-178B/C artifacts.  This risk economy can be consistently applied in future projects. Lastly, the value of the LynxOS-178 RSC is to reduce overall cost to our customers. Lynx Software Technologies’ LynxOS-178 real-time operating system comprises approximately 60,000 lines of code.

The effort to verify a time- and space-partitioned operating system of this size is tens of person-years of effort.  The concept is simple; an accepted RSC that meets DO-178B/C objectives saves the integrator the cost of verification of an operating system.

Leverage the RSC for Your Embedded Project

Lynx has over 30 years’ experience in helping customers across avionics, automotive, and industrial markets to realize the benefits of software reuse for their complex safety- and security-critical embedded software systems. To learn more about how to leverage a Reusable Software Component (RSC) for your next project, please direct your inquiries to inside@lynx.com or fill out the form linked to the button below, and a representative will reach out to you within 1-2 business days.

_______________

CAST-32A presents the coordinated position of avionics certification authorities regarding Multi-Core Processors (MCPs).  While today’s aerospace ecosystem could benefit from the use of MCPs, before CAST-32A was published, FAA/EASA had not yet devised a means to obtain certification credit for safety-critical software deployed to an MCP.  Toward that end, the CAST-32A position paper identifies topics of concern that could impact the safety, performance, and integrity of DO-178C aviation software deployed to MCP(s). For each topic, the paper provides a rationale that explains why these topics are of concern and proposes objectives to address the concern. (CAST-32A, “Purpose”, p. 3)

_______________